
Show HN: This up votes itself - olalonde
http://news.ycombinator.com/vote?for=3742902&dir=up&whence=%6e%65%77%65%73%74
======
naz
This is why you shouldn't allow GET for performing actions. An image tag in an
article could do the same thing (e: if it didn't check the referrer).

~~~
olalonde
Someone in the other thread pointed out it at least checked the referrer
header.

~~~
simonw
That's not a good enough solution - there are decent reasons that a referrer
header might be missing (some PC antivirus software strips out referrer
headers for example). The only safe way to handle this is with a POST request
protected by a CSRF token tied to a cookie.

~~~
jpablo
GET with randomized ids and checking referrer should be good enough to keeps
things simple.

------
olalonde
Credits to <http://news.ycombinator.com/item?id=3742742> (GreekOphion) for
finding the bug.

~~~
GreekOphion
Wow, your getting more votes than I did.

~~~
olalonde
"It's all about the execution", "Usability counts", "Ideas are worthless",
yadda yadda... Joking aside, congrats on finding the bug. I would send you the
karma if I could!

------
akavi
It's amusing watching the vote count skyrocket upward as the curious click on
it. It's getting more than a vote a second.

Side Note: I've always wondered why HN doesn't let you reneg on your upvote. I
imagine this would have a good deal fewer votes if people could.

------
cs702
This looks set to become the all-time #1-ranked submission soon. Compare it to
other top-ranked submissions here:
[http://www.hnsearch.com/search#request/all&q=+&sortb...](http://www.hnsearch.com/search#request/all&q=+&sortby=points+desc)

[EDIT: corrected link. Thanks ma2rten!]

~~~
akavi
That list is clearly not comprehensive (For example, there were multiple Steve
Jobs related submissions that got over 1000 points).

~~~
ma2rten
Yep,
[http://www.hnsearch.com/search#request/all&q=+&sortb...](http://www.hnsearch.com/search#request/all&q=+&sortby=points+desc)

EDIT: You are welcome. I am not sure this is comprehensive either, though. For
one it will only include submissions with a space in the title, I think.

~~~
cs702
Still, much better than what I got with /over?points= ...

------
numlocked
An interesting side effect may be to drive registrations, as it will appear to
non logged-in users that they have to create an account before viewing the #1
item.

------
im3w1l
The amount of people proposing POST as a solution, shows the need for this
subject to be lifted. There are methods for auto-posting you know...

~~~
getsat
POST alone isn't sufficient. You need CSRF protection, too (which, in this
case, would protect from same-site request forgery).

------
olalonde
This is officially the 2nd highest ranking post ever.
[http://www.hnsearch.com/search#request/all&q=+&sortb...](http://www.hnsearch.com/search#request/all&q=+&sortby=points+desc)
(HN search is a bit delayed)

------
dsrguru
If allowed to continue without intervention or a bug fix, this thread will
stay at the top of HN forever.

------
patrickod
Interesting. It's almost like a view counter for the article

~~~
Vaanir
Yep, it was 130 as I read this comment. Going over 140 now. Click click
click..

------
dustingetz
is OP a mod? how did he know what his postid would be before he submitted it?
spraying [sequential] submissions all at once?

[edit]

~~~
citricsquid
IDs are sequential, you can predict them with ease. For example (without
editing) I can tell you my comment ID (for this comment) will be: 3743005

(edit: nope, I was 3 off, you get the point though, apparently a lot of people
are commenting at the moment, ha)

~~~
olalonde
Yes, that's how I did it. Took me about 3 attempts.

------
guynamedloren
A clever, temporary solution to this would be to change the link to downvote
the article and watch it trickle back to zero. Do it, pg!

~~~
ma2rten
Genius plan, except that there is no downvote for submissions ...

~~~
MichaelApproved
I thought tere was a downvote for users with a high enough level of points.

~~~
guynamedloren
Appears as though this may exist for comments only - not submissions. Though I
wonder if a link would work just the same?

------
zt
When I saw the first one of these, I thought to myself that the front-page
wouldn't be overwhelmed by these posts. The whole reason most of us are here
is that it is a mature community. As the first post was enough to prove the
point, why did OP post it again? (S)He apologize and give credit to
"<http://news.ycombinator.com/item?id=3742742> (GreekOphion) for finding the
bug", but why make the post at all? What good does it do? "I would send you
the karma if I could!" just seems disingenuous.

~~~
cs702
zt: maturity has nothing to do with this. Hackers appreciate clever hacks,
_especially_ those that are self-referential. That's all there is to it.

------
kaybe
A slightly unrelated question: What's up with those non-votable non-
commentable recruiting links that have been up on the front page recently? Was
that another bug exploit?

~~~
zt
YC funded companies can post such links. Most of them are also found at
<http://news.ycombinator.com/jobs>.

------
donw
Bonus points for pointing out the bug, and not using it as a way to blast some
rubbish marketing to the front page.

~~~
bigiain
I can't help but wonder if someone discovered this before, and realised they'd
need to put some sort of throttling in place to keep it under the radar…

(Maybe _that_ explains why so many TechCrunch articles make the front page?)

~~~
avree
You can see what it's doing in the URL. You don't see that in other submission
URLs.

~~~
unimpressive
You could send it to a link which is hooked to a script that swaps the links
for one in ten views or what have you. The extra benefit of that approach is
that you don't have to worry about getting the submission ID right when
submitting. You can just edit it on your server retroactively.

Not that I'd ever be crazy enough try this for real of course.

EDIT: According to posts I've read the votes aren't valid if the referrer
isn't Hacker News. So the only thing possible is what's on display.

------
benatkin
I took care to click _comments_.

------
AndyKelley
I would have fixed my vote at least, but:

[http://news.ycombinator.com/vote?for=3742902&dir=down...](http://news.ycombinator.com/vote?for=3742902&dir=down&whence=newest)

"Can't make that vote."

------
Garthex
I'm curious as to whether this post will ever leave the front page. If it
keeps getting points at an alarming rate, is there anything in the algorithm
to eventually lower the ranking?

~~~
dbh937
Moderators might take it off.

------
sams99
so, we have 3 of these now ... on the front page ... I guess this is a side
effect of the community not having anywhere to submit bugs to

------
MichaelApproved
Looks like it was removed from the front page by someone. Fun while it
lasted...

------
liamk
This could become the most voted up submission of all time.

------
Finbarr
I wonder if this has been manipulated in the past.

~~~
JeremyBanks
I think I remember seeing a post just like this a couple of years ago, after
which the bug was fixed. I wonder if there was a regression or if this is
somehow different.

------
dbh937
This is staying as #1 for a while.

------
johndoeee
You can also secretly iframe it, always wondered if someone did it.

Also a good example of why you need to use POST for stuff like this :)

------
palish
I exploited this about 5 years ago. (I think it was called "Startup News" back
then, though!)

<http://news.ycombinator.com/item?id=27615>

I think you need to set "showdead" in your profile to see this. It got killed
pretty quickly, but netted me ~150 karma which was amusingly nontrivial back
then. And as a byproduct, I think I became the first "public member" to get a
glimpse of Arc, which was closed-source at the time. I won't disclose how
(since I haven't asked for permission to share the details) but it was pretty
much one of the happiest days of my life, for some stupid reason. I was young
and giddy and felt like I'd just won something special.

To give you an idea of how ancient this is, check out the id of the thread --
only #27,615. Man, time flies when you're watching a community grow, eh? It's
like watching a child mature over years -- into an increasingly-annoying
version of themselves while slowly getting fatter and fatter over the years,
of course. (I kid, I kid.)

Bonus: I just now noticed that I'd gotten into a debate with Paul B in that
thread. Hah. I was too cocky back then... I should have been listening and
asking questions, not talking!

Man, I miss those days so much. I never knew how rare they were until they
were gone. Like, my girlfriend (now wife) and I went on vacation, during which
we prototyped and launched a whole webapp in Rails 1.0! Who does that? Not me,
anymore -- At least, not until I lose my day job like a bad case of music.
Makes me wonder if I still have my old "hey, I'm 18 and ignorant of my own
flaws!" level of productivity...

====

EDIT: Oh, look. I have the attention of the majority of HN. Allow me to now
exploit you:

To whomever has read upto here: you hereby implicitly agree my EULA, in which
you swear to enjoy each of your scientific pursuits with intensity and to your
fullest degree; and sometimes even to a dangerous degree, if the mood carries
you thus. Additionally, you agree to never allow an employer, family member,
or any other authority to break your intrinsic spirit; for they have no means
of dominating your spirit except that which you subconsciously allow them. You
shall be true to yourself and to your own principles, regardless of society
(though in privacy). You shall hereby refuse to believe any scientific
statement as "true", however benign, except those in which you alone have
proven to yourself to be true, by your own hand and evidence. (Though it
doesn't hurt to check out what other people have to say on the subject, from
time to time; in fact, it turns out to often be a more valuable course of
action, for the careful analysis of a close friend can often reveal subtle
flaws in your process and in your logic, while occasionally forcing you to re-
evaluate your core reasoning for choosing that process in the first place,
which _always_ leads to the path of learning and thus improvement and
satisfaction.) You agree to eventually die with no regrets. Let no one impose
themselves upon your judgement without merit. You shall endeavor to enjoy life
to the fullest extent of the law (where applicable), and to realize that money
is merely a means, not an end unto itself. In your spare time, you shall
research that which is impossible, but intriguing, in order to always have
something to strive for, thereby improving your skill and your spirit. You
shall follow your curiosity wherever it leads (but keep both eyes open for
signs of danger).

Most importantly: thou shalt enjoy every week, else thou shalt fix your life's
situation regardless of how immutable it may seem.

Go -- build something out of passion. Right now!

~~~
srl
> Bonus: I just noticed I'd gotten into a debate with Paul B in that thread.
> Hah. I was too cocky back then... I should have been listening, not talking!

OT but funny story: back when I was first getting into programming heavily (I
had dabbled for about 4 years, but wasn't particularly good), I started
learning perl, and got into a flame war on freenode with some random guy I had
never seen on before (in the three times I had visited). It was weird -
everybody sided with him, so strongly that I was really confused. His username
was strange, too - something about "toady".

Yup, I, a perl programmer of 2 weeks, got into a flame war with Larry Wall.
Didn't realize it for years, until I saw his IRC nick mentioned somewhere
else. Ouch.

------
sethbannon
Brilliant.

------
robertelder
lawl

------
reason
You are ruining the sanctity of karma.

Edit: Lotsa serious folks on tonight.

------
minikomi
I wouldn't usually do this but.. _so brave_

