Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: A Way To Hack HN's Karma
472 points by GreekOphion on March 23, 2012 | hide | past | favorite | 33 comments
I submitted a link, when someone clicks on it I get an up-vote for this article.

I don't want people to misuse this I just want to bring attention to this problem.

This is the link I used that up-votes this: http://news.ycombinator.com/vote?for=3742742&dir=up&...




Nice hack! We should call it 'Same-site request forgery'.


I emailed PG about this a week ago, his response:

"It just seems to."

Normally loading the vote URL directly doesn't work because votes that don't have a HN referrer don't get counted. By submitting the URL to HN and getting people to click through a HN referrer gets sent making the votes look legitimate.


I had always assumed this was impossible because my votes have an auth key attached. Does this mean that the auth key is not used and is just there to trick casual observers into thinking there is security?

    vote?for=3742852&dir=up&by=citricsquid&auth=478876d54494692615d9f2ca184fa9fab2fb9ff7&whence=%69%74%65%6d%3f%69%64%3d%33%37%34%32%37%34%32


That parameter is absent when you're not logged in.


I'm guessing this security hole is a regression because I could have sworn I tried this before. But I don't remember for certain.


This is for the comment votes; it looks like the vote for articles doesn't have a token.


PG could start using POST & CSRF protection to lock this down. Or we could just avoid doing this to each other.


CSRF protection is the right way to solve this. Switching to POST doesn't provide any real protection; an attacker can simply put up a form that autosubmits to the endpoint with POST.


CSRF couldn't stop this particular attack, since it's not actually cross-site. You need to guard against both.


I think you misunderstand what CSRF protection does. It doesn't have anything to do with same-origin security, but rather preventing request forgery attacks in general. If a CSRF token was present on requests and was tied to a user's session (as is standard), then that would absolutely defend against this attack.


Wonder if you could get around that by submitting a javascript: link.


As far as I can tell, only http(s) links are accepted by the submission form.


> Or we could just avoid doing this to each other.

Hacker News has grown dramatically. The "Hacker News effect" is now significant and often considered valuable. If there is an exploit that makes it possible, people will use it.


Or we could just avoid doing this to each other.

Security through obscurity?


Nope. Security through niceness and ethics. If everyone was in on it we would have a really great society.


I don't think anyone would contest that good behavior would be good for society. But, it's not a practical expectation, because the probability of everyone exhibiting good behavior is vanishingly small.


That is exactly security through obscurity. If you're relying on people being nice enough to not exploit you (no matter how difficult it is), you have no security at all.

Let's say everyone on HN was nice enough to not use exploits. Might be possible. But then one person does a drive-by exploit, and BAM. Everyone but one person is nice enough to not exploit people.

Just because you wish people were nice doesn't make them nice.


No, it's just lack of security. There's no obscurity involved at all.

(And, if there was any doubt, we should of course not count on people being nice on the internet.)


An interesting bug, but if anything won't it just earn you fake points on a website, while making everyone on that website hate the account that's accruing the points, essentially making those "hacked" points' meaning moot anyway?


I saw this but don't really consider it much of a problem. It's the kind of thing that you can't really exploit. It'd be obvious if you really tried to use it for evil and then PG would kill your account.


Not necessarily. You could make the CSRF request on, for example, 80 percent of the views to make it look legit. You could even take a more sophisticated approach and start by automatically upvoting for 100 percent of logged in users just to get on the front page and dampening once your story rises in the rankings.


And if any users notice your account and domain are banned. Not saying it shouldn't be fixed but I doubt you would have much luck exploiting this at any scale.


If HN has some sort of redirect to any URL page (eg, redirect.ashx?url=http://www.google.com I don't know if HN does but a lot of sites do in some form) then it could be exploited possibly


Now that it's out there, I made a self up voting version: http://news.ycombinator.com/edit?id=3742902


Let's try not to ruin the Front Page with a bunch of these. I believe one is enough.


Is that how this story became number 1 without a pg comment? If this was serious you would think pg would have commented.


I'm fairly certain that unless the referer is the "new" page, it counts negatively toward the story's promotion.


The #1 post on HN is exploiting this and it's working just fine.


[deleted]


I don't think this is irresponsible, exactly. Mischievous, yes, but there's not a ton of damage being done and it's something we can laugh at and say "Hey, that was pretty good."


[deleted]


And how exactly would you insert an image on HN?


Apparently you are right, the bug is not vulnerable to cross-site scripting.


What is the link?


If you go to this submission and click it, it up-votes this: http://news.ycombinator.com/item?id=3742745




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: