Hacker News new | past | comments | ask | show | jobs | submit login

As it happens, this incident was discovered by a curious user who had a script watching for new accounts with staff privileges, who brought the attacker's account it to the company's attention (in chat) because it looked unusual.

Stack Overflow seem to be following a very responsible incident response procedure, perhaps instituted by their new VP of Engineering (the author of the OP). It is nice to see.




Wow! Note to self: maybe having a slack bot or something that yells really loudly whenever someone gains or loses admin privileges would be a good idea.


What if I told you... this is literally one of the best ways to use audit systems...


You mean a regular user? How does a user tell who has staff privileges?


Stack Exchange data Explorer (SEDE) has been around for quite awhile. The user table contains flags for this. Who mods are has never been hidden. The user in question drew attention by having 1 rep and having CM level privilege on 173 sites. They also engaged in a pattern of behavior that didn't fit with that level of privilege.

https://data.stackexchange.com/


Sorry, by "staff" did you mean company staff (employee) or did you mean site moderator?

Also, what User table are you looking at? The one I'm looking at only has these fields: Reputation, CreationDate, DisplayName, LastAccessDate, WebsiteUrl, Location, AboutMe, Views, UpVotes, DownVotes, ProfileImageUrl, EmailHash, AccountId


I know that would likely be the main entry point and who found it. I reviewed that chat logs which are public and they just said they found it. As far as I know this isn't exactly hard information to find as you could just parse the moderator listings if you needed to.

This was their post for context: "API reports is_employee as False, but the user is not on mod lists, so... ?"


I see. The moderator listings are updated once a day I think. This seemed to happen more quickly than that, so unless it was just plain luck on when it was updated, I don't think it's that.


I updated my post with their comment, they may not be directly going through SEDE as there is an API that can be used. I know there is a bot called charcoal that sniffs out bad posts etc and auto reports them for example that uses the API.


I believe they were polling the list of moderator-or-greater-access users on each site through the API: https://api.stackexchange.com/docs/moderators


Ahh thanks! So I assume they were just looking for moderators rather than employees.


That's where the 1 rep comes into play: the only way to get a diamond without rep is employment.


There are IIRC a few minor exceptions, but those are for smaller communities just out of Area 51 AFAIK and those still apply to users that have shown extensive involvement in those communities. That said those users still have more than 1 rep in all cases AFAIK.


> As it happens, this incident was discovered by a curious user

Some recognition would have been nice instead of saying "we" quickly found out.


Maybe the user doesn't want to be named?


The user in question uses a nonunique pseudonym and Tor, so I'm not sure if they actually want attention. Maybe they were also the hacker. ;)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: