Hacker News new | past | comments | ask | show | jobs | submit login
Quora engineers accused of vandalizing a clone’s website (greyreview.com)
68 points by betolive on March 16, 2011 | hide | past | favorite | 57 comments



The full quote from Rick Ross is "I am grateful that Ben Newman and Albert Sheu of Quora have identified a (now fixed) XSS vulnerability in our test site, but I am surprised that Quora policy permits developers to engage so openly in vandalizing other people's websites." which is slightly nicer than that article makes it sound.

Personally, I think the Quora engineers involved made some poor decisions. Anyone who looks for security vulnerabilities on websites they don't own or control is on shaky legal footing (there are exceptions: Google, Mozilla, Facebook, and a few other companies provide systems for the responsible disclosure of vulnerabilities). However, publicly disclosing vulnerabilities on a competitor's website (and making your proof of concept mildly malicious) is never going to work out well for anyone: it makes your company look like a bully and exposes you to potential legal ramifications.


As a former web application security guy, and now developer, identifying and disclosing vulnerabilities on websites is still very much a troubled area. Most companies don't have proper security@ email addresses set up or monitored, and still don't take kindly to vulns being reported.

That said, publicly disclosing a flaw in addition to defacing the website, even temporarily, is certainly not a classy way to go about it.


Or exposes you to a group of individuals who will want to make you regret showing off.


[edit: Troll answers have been deleted, but you can still read the trolling comment thread: http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/a... and http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/a... ]

On the Quora thread, http://www.quora.com/Is-Qato-a-Quora-clone-attempt-or-a-simi... there are some answers by trolls pretending to represent Qato.

"Sameul Codsaw" writes: 'Also, we are using Ruby on Rails, so we expect to have less trouble scaling and finding devs than Quora has.'

Rick Ross, president of DZone (developers of OSQA and Qato), replies in the comments: 'This imposter has no connection with Qato and does a disservice to both Quora and DZone by posting this nonsense.'

"Kevin McDougal" answers and comments, also trying to make DZone look bad. ("Rick, our plan to sabotage the Quora community is working. Did Hernani create the 100 fake Quora accounts yet?" ... "Hold on. Was that message private or public?") It's pretty juvenile and makes me question the quality of the Quora moderation system.

Why are there all these sock puppet accounts (http://www.quora.com/Kevin-McDougal and http://www.quora.com/Samuel-Codsaw) popping up and pretending to represent Qato? They have only one answer on the entire site, and its on this thread.

Are Quora engineers behind these trolls, or who? Regardless of who is behind it, the trolling reflects poorly on Quora, not Qato.

The comments by Ben Newman (Quora dev) honestly are quite juvenile, and do a disservice to Quora, regardless of any ethical considerations on the part of Quora or Qato. I would prefer to see him take the moral high road.


Quora has a lot of passionate users.


I've got a hard time not writing

"Quora has a lot of trolls" FTFY

with that kind of comment. Impersonation is crap and childish behavio(u)r and not about being "passionate" about a site or a technology.

I don't think Quora guys are to blame, but

- These comments should be moderated/removed/shouldn't have been allowed in the first place

- Calling idiots that do things like that "passionate users" does both the service and the internet in general a disservice. They are idiots. Period. That's not funny, that's not cool or helpful. Your reply seems kind of supportive and I don't get why.


I am making an observation.

You seem very angry.


I'm curious why, does anybody know? After looking at Stackoverflow I considered technical Q&A a solved problem, and it seems to translate well to other topics.


Quora is not limited to technical Q&A. Also, it allows people to put things like "3x SEO EXPERT CHIEF VP FOUNDER" next to their name. Lesser Q&A sites (and BBSes in general) do not implement this feature.


Just for the record, I meant it sincerely when I said that we were grateful that Ben Newman and Albert Sheu showed us an XSS hole in Qato, and that has now been fixed.

The site in question was just an unpromoted testing prototype which barely has any content and happened to have the Quora-like skin on at that moment. It probably shouldn't even have been publicly accessible.

Another Qato site on the same server is http://robofaqs.com, which is sporting our OSQA clone theme. It doesn't look anything like Quora at all, but is powered by literally the same server instance. That's what we're trying to say - Qato is the general purpose Q&A engine under the skin, and these various skins just modulate the way a Qato site looks.


FYI, underlined hyperlinks make it impossible to tell the difference between a "q" and a "g" in a URL. As such, I'd suggest you spend some time finding a better name for that unfortunately named site you linked.


So I take it you're not a fan of http://www.gamefaqs.com ? ;-)


Gamefaqs has a self-describing name that pertains to their main business (Game. FAQs.) Qato doesn't have the same thing going for it.


Did robofaqs have the same vulnerability? If so, that's a way bigger story than this brouhaha.


Just a quick note - these "assurances" that the Quora-like skin was just a prototype doesn't do anything to allay my suspicions that the xss vulnerability is probably a core issue with the "general purpose Q&A engine" underneath it. If you're relying on the "skin" to enforce xss security, you don't really understand the importance of the various bits of MVC.


I believe the skin and the XSS vulnerability were two separate issues. Even if the site had been using a different skin, the XSS vulnerability would have still existed.


Precisely my point.

I shouldn't be hearing "Oh, the Quora skin is just a prototype", I should be hearing something like "the dev site the Quora prototype skin was being developed on was running a 6 month old branch of our engine software, check out out github history to see all the security changes made in the "production ready" branch since November".


I believe he mentioned in response to people's complaints that the site looked like Quora; I don't think he meant to relate it to security at all.


Yeah, I suppose there was a "Quora engineers vandalized a Quora-clone site (with an xss vulnerability)" discussion going on, and my attention immediately zeros in on the xss enabled vandalization as being "the important news", and the response I saw (and commented on) was all about the "Quora clone" accusation (which I don't find very interesting).

(see my other comment downthread for clarification)


Vandalism is a stupid word to use. I imagine the process went something like this: "I wonder what happens if I add <script>$.fadeOut() as the text of the question" "Oh crap, it worked".

This is called experimentation. If you're in chemistry class and you mess up a lab, you're not accused of vandalizing apparatus... it's simply what happens when you are trying something out. Similarly, when you have a text box on a test website, someone is going to type something in, and if that causes the page to disappear, well... fix the bug and move on.


I disagree.

1. There are plenty of proof of concepts you can develop that don't destroy the page.

2. The Quora engineers in question didn't enter stuff into a textbox and leave it alone. They went and publicly disclosed a cross-site scripting vulnerability in a competitor's website.

Edit: Ben deleted his "answer" which disclosed the XSS. However, the comments on the answer are still accessible (for now) if anyone is curious about them: http://www.quora.com/Is-Qato-a-serious-Quora-clone-attempt/a...

Edit 2: Rick Ross posted a comment there I think is worth highlighting.

"In a way, we're grateful to these guys (Ben and Albert) for helping us close a hole. Their method of publicly vandalizing a test site and bragging about it is another matter. A simple email would have sufficed."


The "ethics" of "full disclosure" are a long-running subject, but many people agree that the technique is fine. Don't shoot the messenger.


Your chemistry class example is nonsensical. In class, if there is an opportunity to explore a few things and a mess is made, maybe you would not be blamed. That's usually not how labs are run--you follow a procedure and mixing chemicals with no forethought is a huge safety hazard to everybody in the lab. Neither the "real world" nor the Internet is a place with a mutual agreement between all participants to experiment with each other's property.

Maybe a better example would be going into your neighbor's backyard and testing how readily his shrubbery lights on fire. Oops, it's burning! Tell him to "fix the bug" and move on.


Maybe a better example would be going into your neighbor's backyard and testing how readily his shrubbery lights on fire. Oops, it's burning! Tell him to "fix the bug" and move on.

No, a better example is going into your backyard, shining a flashlight onto your neighbor's shrubbery, and then having the neighbor complain to you about changing the shrubbery's color from black to green.

The protocol for a shrub is: you shine light on it, it reflects light back. The protocol for a public web service is: you send it an HTTP request, it sends an HTTP response. If you don't want your neighbors to see your shrubbery, build a fence. If you don't want your website to contain arbitrary scripts, don't let users submit arbitrary scripts.


Let's not forget the Quora engineers are working for what is (in the very loosest sense of the word) a competitor.

If we're doing silly analogies, it's the equivalent of Starbucks sending their staff round to your new cafe with Groupons leaving no coffee or seats for the real customers and then publicly mocking your staff's incompetence in handling the situation. Sure, it's your fault for running the promotion and not buying enough coffee, but you might still consider BigCorp's behaviour a little underhand.


Same thing happened in my friend's company and they fired the engineer who identified and exploited the permanent XSS in their competitor's website. Personally I would do the very same thing.

1. It's against the law 2. Extremely unprofessional and childish 3. There are better ways to report security vulnerabilities


I sincerely hope that's not what happens here. I would hate to see someone lose their job over what seems to have been a temporary lapse in judgement.


Temporary lapses in judgement are exactly what "fireable offenses" are designed to prevent. Bright lines for tolerable acts, especially in regards to outside resources, help everybody know how to stay on the good side of management.

By way of example, some years ago a story went around about HP support being prohibited from suggesting a user adjust their BIOS. This was back in the day when checking BIOS to see if hard drives, ports and RAM were being detected properly (say, Win98 era), but for HP it was a fireable offense. It may not have resulted in the death of any user's computer in any given instance, but the risk of problems was great enough that they couldn't allow support people to deviate from the troubleshooting matrix in this way.

In this case it seems more a problem of ethics than policy, and no doubt Quora is not very large of a company and does not yet have stringent policies like HP's, but to argue "no harm no foul" is to set a bad precedent at the peak of a slippery slope.


Same here. But for developers who've worked at organizations like Mozilla in the past, you'd think they'd be better at handling this the way it should be rather than going script kiddy and juvenile on their own site.


It's against the law? Where?


Pretty much everywhere, For UK - http://en.wikipedia.org/wiki/Computer_Misuse_Act_1990 I'm sure US got an equivalent of this


I just left the following comment:

-- It's pretty lame to copy the design and trade dress of another product. It does not bode well for your skill or ability.

Backstory: A long time ago I wrote Delicious. We had hundreds of copycats and competitors. The ones that weren't direct copies were the ones that did better.

I'm sure this doesn't apply to you for whatever reason.


If Qato is going to copy someone's design, can't they find something better than Quora?

I mean, Quora's design isn't going to win them any awards; it looks like Quora didn't even use Photoshop, just straight-up CSS.


It doesn't just look like they don't use photoshop.

They "design in code".

http://www.quora.com/Joel-Lewenstein/Life-Without-Photoshop


Wow, thanks for sharing. Really neat writeup.


Because they are unoriginal followers. If they had any sense of direction they'd be able to build something of their own.


Originality is overrated. Various sites with CSS-only layouts and minimal interfaces are best described as an emergent aesthetic. Expect more like this.

There are simply too many people drawing from the historical experiences and examples laid by e.g. Metafilter, Digg, image boards, etc. for it to consititute individual acts of copying. That there are so many whitelabel apps & plugins ready for the implementing only accelerates this evolution.


There is a big difference between convergent evolution and wholesale copying.


It's not convergent evolution when people are copying, but copying doesn't obviate emerging aesthetics. Once upon a time, websites did not all have menu bars across the top, is this a result of despicable copying, or of lots of people simply deciding it was a good idea? Whether or not I think a given UX trope is useful is irrelevant to others choosing so.


Straw man.

We are discussing wholesale duplication.


My assertion is quantity-neutral. I simply don't think it matters how much is copied, just the fact that any copying is going on at all signals that the look and functionality is having an influence.


Ok. I know it's against the rules, but why is this getting voted down?

This comment comes from my experience (see above) rather than mere negative opinion.


Huh. This comment has been deleted. Was it the admins or did Rick not enjoy the criticism?


Everyone's right that it was an ill-advised thing to do, but stepping back ignoring the law (I know..) and just asking yourself the gut question:

What's worse? injecting a relatively harmless script into the product (that frankly caused them to fix an issue that could have been very painful for them if someone more devious had found it first), or Qato's ripoff of Quora in the first place?


For what it's worth, my takeaway on this is not that Qato "ripped off Quora", to me its quite clear they're building an engine for Q&A websites, and they've used Quroa (and Stackoverflow) as examples of what you can build with it. Not so much "ripping off" - I see it more like the sort of Photoshop demo where a guy on stage recreates some well known image to show off Photoshop as a tool.

The problem is, their tool has at least one xss vulnerability. I've been there myself, and usually a single xss vulnerability is an indication that the underlying design of the system didn't take xss (and probably web security in general) seriously enough. It's _possible_ this was just a single place where user supplied data sanitisation wasn't done correctly, but I'd bet good money that it's indicative of a development mindset that failed to be paranoid enough. I'll bet there's a bunch of places they're going to find exactly the same error, and won't be at all surprised to find SQL injection vulnerabilities, http header vulnerabilities, and any of a whole bunch of other "common web programming" errors. I'll be amazed if right now there aren't a bunch of people running fuzzers against any site suspected of having the Qato "engine" underneath it. I'll not be at all surprised to hear several of them get compromised before the weekend and start running dick-pill-seo spam...


All really fair points. For me, they still seem to fall into the 'Harbor Freight Tools of the Internet' category.

[Edit: I already feel kind of bad about this comment. I love me some 3$ multi-meters. Still. Analogy stands.]


Putting the legal issues aside? It doesn't matter either way: security vulnerabilities trump copycats (in my opinion).

Publicly releasing details of an XSS vulnerability on a third party's site has much bigger ramifications than a copycat site. Plenty of websites deal with copycats all the time: they're frustrating, but they're not necessarily overly threatening. On the other hand, a 0 day could compromise the security of user information. In certain fields, that could completely destroy your business.


Mixed agreement.

...that could completely destroy your business

Yep.


I certainly don't think the Quora Engineers were right to vandalize the clones website in this case.

I'm all about people making Q/A websites and releasing products that are clones of other products. Ideally this kind of competition can make the original product better.

That being said, I find making a clone of someones product and then releasing said product at least in this sense, distasteful. Seeing that it has such similarity to the original that if you weren't familiar with the original you probably couldn't tell the difference.


Design clones are super lame.


Why? What separates design clone vs functionality clone, making one legitimate and the other distasteful?



Make sure to read the comments.


Yeah really. I wonder what Quora's investors are thinking right now?


Don't condone it, but understand their motivation. Knockoff's are kinda out of hand of late.


I've had a couple of my comments on Quora vandalized by engineers there as well, marking a few of them "unhelpful" even!

:P


From the comment thread:

"So Qato was caught plagiarizing and now they're complaining about supposed "vandalism"? Reminds of those newspaper headlines where the robber hurts himself breaking into a home and tries to sue the family."

I have to agree. This is basic javascript injection. Can you say, "blown out of proportion"?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: