Hacker News Security

If you find a security hole, please let us know at security@ycombinator.com. We try to respond (with fixes!) as soon as possible, and really appreciate the help.

Thanks to the following people who have discovered and responsibly disclosed security holes in Hacker News:

2023-01-02: Carter Sande, Mark Slater, James Darpinian

  • Submission titles were no longer being HTML-escaped in some places.

2022-09-04: Dimitris Triantafyllidis

  • User karma could be increased by exploiting an upvote/unvote bug.

2021-07-04: RyotaK

  • URL tricks could display the wrong domain for some websites.

2021-06-07: Atamyrat Hezretgulyyev

  • A CSRF logout was still possible in some cases.

2021-02-14: Michael Brooks

  • Set the SameSite cookie attribute for better CSRF protection.

2017-04-30: Michael Flaxman

  • The minor version of bcrypt used for passwords was susceptible to a collision in some cases.

2017-04-14: Blake Rand

  • Links in comments were vulnerable to an IDN homograph attack.

2017-03-15: Blake Rand

  • The right-to-left override character could be used to obscure link text in comments.

2017-03-01: Jaikishan Tulswani

  • Logged-in users could bypass 'old password' form field.

2016-02-17: Eric Tjossem

  • Logout and login were vulnerable to CSRF.

2016-01-13: Mert Taşçi

  • The 'forgot password' link was vulnerable to reflected XSS.

2015-09-07: Sandeep Singh

  • An open redirect was possible by passing a URL with a mixed-case protocol as the goto parameter.

2015-09-04: Manish Bhattacharya

2015-08-27: Chris Marlow

  • Revisions to HN's markup caused an HTML injection regression.

2015-06-24: Stephen Sclafani

2015-03-02: Max Bond

  • Information leaked during /r processing allowed an attacker to discover valid profile edit links and the user for which they were valid.
  • goto parameters functioned as open redirects.

2014-11-01: Ovidiu Toader

  • In rare cases some users' profiles (including email addresses and password hashes) were mistakenly published to the Firebase API. More here.

2014-10-27: San Tran

  • Some pages displaying forms were vulnerable to reflected XSS when provided malformed query string arguments.

2014-05-01: Jonathan Rudenberg

  • Some YC internal pages were vulnerable to persistent XSS.

2012-08-01: Louis Lang

  • Redirects were vulnerable to HTTP response splitting via the whence argument.
  • Persistent XSS could be achieved via the X-Forwarded-For header.

2012-07-20: Michael Borohovski

  • Incorrect handling of unauthenticated requests meant anyone could change rsvp status for Demo Day.

2010-01-12: Zain Memon

  • Someone creating a new account could sometimes take an existing username.

2009-06-03: Daniel Fox Franke

  • The state of the PRNG used to generate cookies could be determined from observed outputs. This allowed an attacker to fairly easily determine valid user cookies and compromise accounts. More here.

Missing From This List? If you reported a vulnerability to us and don't see your name, please shoot us an email and we'll happily add you. We crawled through tons of emails trying to find all reports but inevitably missed some.