Hacker News new | past | comments | ask | show | jobs | submit login
[dead]
on Aug 21, 2008 | hide | past | favorite



This is what happens when you start a website called hacker news.


At that time it was called Startup News.


And meanwhile on Cracker News we have...

"GREETZ FROM Z0MBEE"


It's not that bad a joke, is it?


Hehe. I've seen this before. When a News.YC user dataset was released I downloaded it and noticed that this user's file was the largest, so I checked it out.

Now out of curiosity, how did you find this user? He hasn't been very active it seems since he signed up over a year ago. (I see only one comment for this user).


This is something you probably should have reported to pg (unless it was already fixed, of course. it seems to be now)

This kind of vulnerability makes it trivial to hijack someone's session. Of course you probably don't have any sensitive data on news.yc, but still...


I did the same thing... I just downloaded the user dataset and noticed that he/she had just a tad bit of javascript.

http://news.ycombinator.com/item?id=213891


"... how did you find this user? He hasn't been very active it seems since he signed up over a year ago ..."

The term 'arglebargle' is used by a current HN member. So don't make this assumption.


I apologize. I didn't mean to assume anything. I used the fact that this user has made 1 comment over a year ago and had only 2 karma from that one comment to base my statement. It's also why I said it "seemed" that he hasn't been active. That's why I was wondering how this user was found.


"... I apologize. I didn't mean to assume anything. I used the fact that this user has made 1 comment over a year ago and had only 2 karma from that one ..."

Don't appologise - there is nothing wrong with your comment. I was just pointing there is an existing user that made it. I didn't want to name them w/o being sure.


I motion that this bit of art be kept, in admiration for its sheer brilliance and hacker-appeal.

If you guys really need to disable JS-injection for security purposes, at least leave "arglebargle's" in place.


I can't guarantee its safety, but I glanced at his JS, and it seems harmless.

(later edit: I probably should have posted this during the day to give someone a chance to fix it so no one new actually exploits this... should I delete it?)


Pretty clever too.

Click on the logo & letters on the bottom and you can throw them around.


Rearranging the letters shows that he wrote the code when Hacker News was still Startup News.


Yeah and they bounce and rebound. Impressive stuff.

Did you notice the letter 'r' leaves a trail when you throw it R-L ? A blue trail and the intensity of the line differs too.


http://pastebin.com/f1c2d17cf

That's a pretty-printed and syntax highlighted view of the JavaScript in question.

Edit: slightly cleaned up the formatting.

Also! Line 75 confuses me (and jsLint) a bit. What's that up to?


That's an HTML-escaped less-than. (I assume pastebin inserted the space between the '&' than the 'lt;'. This is line 75's unescaped:

  for (e = 0; e < sup.length; e++) {


Aha, indeed. I cleaned up the errant html escapes, resulting in the following pastebin: http://pastebin.com/f1343e50a

That gets the jsLint errors down to complaints about assignments in loop conditions. So no biggie.


Also learned from this: Startup news is an anagram for Putter Swans

...and swat punters... or pun swatters... and "we rust pants"


And "A Twerp's Nuts"


...truant spews and new startups. Hacker News: knew cash ER, screen hawk, and "HN: We Rake CS."


hacker news:

neck washer, warn cheeks, swan hecker or knee rash wc?


Greatest effect i've ever seen on HN.


The only effect I've seen on HN.

Works in all versions of FireFox/Safari I've tried, but unsurprising is broken in IE.


haha wait, the javascript injection is "broken" in IE? so does the injection just not work or does it work but the effect looks crappy? because if the injection doesn't work i sure wouldn't call that broken.


The browser cannot know if script is injected or part of the ordinary site, so a browser cannot possibly protect against injection.

Anyway, the injected script is indeed executed in IE, it just seem to fail because of an IE-specific bug.


Well, was it fixed? Why is it that that script still works?


It was fixed. The script still worked because the field hadn't been resubmitted since the fix.


Anyone try playing with the bouncing Y after mousing over it?


Pretty awesome


Wow wtf man, I spent 5 minutes on that page playing with that...and to think I wonder about how I possibly waste time on a site like YC News...


How does this work?


This works when someone inserts some javascript into a text field.

http://nexodyne.com/showthread.php?t=14736


I like it

It's a nice personalization.

Sure -- check for it on comments, but on the user's page? Kind of neat.


Sure, but it'd be trivial to modify the script to

* Submit stuff or comments under your account

* Modify your profile

* reset your password and take over the account

So probably best fixed if it's not already ;)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: