Faking votes on Hacker News | Better HN

58 comments

41 comments · 8 top-level

pg17y ago· 17 in thread

Not cool. We deliberately don't put that much effort into security, because this is a community based on trust, not a bank. And by choosing to publish this rather than e.g. simply sending me an email about it, he's inviting people to do this.

agotterer17y ago

I think a lot of people are missing the point here. Sure what he did wasn't "cool" since it deceived users who are part of a community that is based on trust and responsibility. But he found a potential exploit and instead of using it irresponsibly he brought it to the attention of the community. Maybe the right thing would have been to contact PG. Maybe he takes lessons from the Windows world of bugs... If it's not made public for exploitation, it may never get fixed.

In my opinion this should be looked at as a learning experience for web developers. We need to take these issues/exploits into account when building websites. I'm pretty sure PG accounts for XSS attacking, no? If we trust each, shouldn't we trust each other enough not to post malicious code? Unfortunately it just doesn't work like that. Security by obscurity is never the answer!

tlrobinson17y ago

XSS, yes. CSRF, no, or at least not completely. You still need to know the user's username, which is better than it could have been.

This was a CSRF attack, which is mostly unrelated to XSS.

shadytrees17y ago

As much as this was done irresponsibly, is a fix planned for this? CSRF is, by now, a widely investigated field of web application development; most of the mystery is gone. To borrow a term from The Old New Thing, it's one of the taxes everybody has to pay.

tptacek17y ago

You're adding to the drama. Just let it go.

joshu17y ago

Trust, but verify.

jonshea17y ago

Don’t trust. Just verify.

dag17y ago

So the community is based on trust yet you don't trust the community with information on how the community functions.

JoelSutherland17y ago

The code for HN is open source:

http://arclanguage.org/

This is not how the community functions however. The community functions by being made up of a group of people who believe in courtesy. It is not vulnerable to any sort of software hack, instead it is vulnerable to the slow drift towards thoughtlessness.

lsb17y ago

Huh? You can download the source code for HN, and you can infer how voting happens from Firebug. Where's the lack of trust part?

AndyKelley17y ago

you should fix it instead of making excuses

erlanger17y ago

Hilarious. The head of "Hacker News" is mad because his news has been hacked.

sgrove17y ago

It was an interesting manipulation of the system, but as pointed out it's a dangerous slope. A community based on trust will sour very quickly if a lot of these tricks pop up.

Sharing the trick is entirely reasonable: small hacks like this are something to be proud of, given that you've acted in a reasonable way (e.g. contacted the site and informed them before telling others, not actually using it game the system, etc.)

Could have gone that way. Didn't.

tlrobinson17y ago

Hilarious, if you consider the only definition of "hacker" to be someone who breaks into or otherwise exploits computer systems.

Obviously that's not the definition we use here. If you haven't figured that out by now, perhaps this isn't the place for you.

pg17y ago

It was the way he did it. If he'd just sent me an email about this hack I'd have been amused and grateful.

aswanson17y ago

Not hilarious if we start getting swamped with budding script kiddie attacks. This is a nice community, it would be great if we didn't start attracting that type of attention.

alanthonyc17y ago

He didn't necessarily say he was mad.

He did say it wasn't cool - which is a fact.

What xach did wasn't cool, although perhaps inevitable on a public site.

comster17y ago

I think using the excuse of "trust" for having security holes is not justified.

run4yourlives17y ago· 7 in thread

What's really stupid about all this is that I give fellow users on this site a little bit of trust because I know that many times, they would like advice or help with their projects, or conversely, they have stumbled on something I can learn.

So I don't worry too much about giving my user name out, or entering it into other HN members' apps. I did it, and I'm not worried about it really. It's not like run4yourlives is my bank id or anything.

What bothers me about the whole thing though is that I've now had it confirmed that HN is too big to trust anymore. Whereas before, there was a sense of kinship with people here - none of whom I've ever met - I now have to worry that some of them are just losers looking to exploit my trust.

That's worse than off topic posts and low quality comments really. It's an attack on the fabric of the community, and the value of the users. It's clear now that I must treat HN as I would treat reddit or digg or any other room full of potential idiots; people who would much rather exploit trust than build it.

Sad but inevitable I suppose.

chairface17y ago

I don't feel like any trust was violated by xach in showing us this exploit. He clearly wasn't trying to be malicious, so I frankly don't understand all of these people who are so upset about this. It sounds like a lot of pointless whining.

Frankly, if anybody has violated our trust, it's whoever wrote this exploitable code. When I use a site, especially an open source one claimed to be written by good programmers, I expect it to be protected from well-understood exploits. And pg, as the caretaker of the code (and its likely author), needs to do some talking about how "not cool" running easily exploitable code is and take some responsibility.

run4yourlives17y ago

1. It most certainly was malicious, if not in outcome, in intent. xach wanted to say "Look, you say you're a coder - look at me I'll show you." There were a multitude of ways he could have presented his case in a manner that would have been - frankly - much more mature.

2. This is pg's personal pet hobby. I don't think holding him responsible for every possible vulnerability is really all that practical, especially when the code is wide open. He's putting it out there with an element of trust that a hacker to be would actually provide a fix instead of being malicious. If xach was such a great positive influence, why didn't he provide a patch?

l0gic17y ago

Honestly, what have you lost? Nothing. The truth is that you shouldn't be trusting a bunch of people you've never met ANYWAY. Nobody's asking you to give them your address or mother's maiden name, but you wouldn't give those out if asked by a fellow member anyway. You should always be wary of sites asking for your information for whatever reason, and just because you trust some of the people on HN doesn't mean there aren't tons more on here that could possibly deceive you.

People seem to react to this like like the record companies reacted to Napster. "OH NO! IT'LL KILL US ALL! Screw changing our ancient business model, we'll just SUE 'EM!"

Instead of updating the way you think about HN (and other sites) you choose to put down the person who enlightened you and cast him out as some sort of heretic.

Hackers INVENT, hackers BREAK STUFF, and hackers BRING OUT THE UGLY! Why is Xach getting martyred for being a real hacker?

Besides, he's giving HN huge publicity. Jeff Atwood twittered about this thread.

asnyder17y ago

I don't know whether you've been paying much attention to some of the threads lately but HN is trying to maintain a particular feel. It's huge publicity that begins to erode HN and turn it into something that many of us would rather avoid.

run4yourlives17y ago

I wouldn't normally say this, but your case is extreme.

Perhaps you should have an account longer than an hour before you lecture me about the effects of this issue on the community.

YuriNiyazov17y ago

Well, I think that a room full of idiots is an overstatement. An occasional idiot sure, but even that's beside the point - before this supposed decline of the community, you wouldn't have posted your credit card and social security numbers in the comments, no matter how much trust you placed here.

run4yourlives17y ago

Everyone has the potential to be an idiot. Broken windows and all...

r11t17y ago· 3 in thread

I fell for the trickery(admittedly my mistake for trusting an unknown website) and submitted my user name, expecting to receive a graph like the page promised.

However, as pg already pointed out it was totally uncool not notifying him before making it public. I am in the support of full but responsible disclosure. So maybe he could have published it after informing pg and the issue was taken care of.

dag17y ago

Taking it public is a fix. Now that this information is public none of us will give out our usernames to external websites, thus ending the problem. In effect Xach's could decide between emailing someone hoping they fix the problem, or just fixing it.

I found this whole event funny. I'm also amused that people reacted as negatively to this prank as middle managers at my old $MEGACORP job would.

criticOP17y ago

    Now that this information is public none of us 
    will give out our usernames to external websites, 
    thus ending the problem.

Correct me if I'm wrong, as I'm NOT a web guru, but I think there are three ways to get the user names, and it's enough if this only works in some cases:

(1) Brute force (look at who's currently active on the site)

(2) Look at browser history (HN users have to constantly look at their own profile to check for replies, and the URL contains their user name)

(3) Send whatever request the browser sends to HN normally, and gets the user name embedded in the page.

Again, I don't know enough about browsers/JS/HTTP/HN to know if any of the above would work. I'm just saying I'm not sure that explicitly giving out your user name is required for this.

Edit: typos

silencio17y ago

> none of us will give out our usernames to external websites

Maybe so, but in the case of Twitter, not many people seemed to learn their lessons - and there people were giving away their usernames and passwords.

> decide between emailing someone hoping they fix the problem, or just fixing it

But you do not know if a vendor will fix the problem as soon as you report it to them, even if they already have a past history of not caring. the balance here is responsible disclosure: maybe it's a big enough issue or maybe the right person noticed that your problem will get fixed when you first let them know..in the event you feel you are ignored though, go public. best of both worlds.

> I found this whole event funny.

I don't think it's funny or angering. It's probably educational, as more people learn what CSRF is and it's probably a little annoying in that not as many people are discussing responsible disclosure, but there's not much to get angry about. Votes? big deal....

gojomo17y ago· 2 in thread

You wouldn't necessarily need someone to volunteer their username to make this work. This unfixed and ancient (2002!) browser vulnerability leaks information, via the styling of 'visited' links, about other URLs you've visited:

http://seclists.org/bugtraq/2002/Feb/0271.html

In many cases, the only person who will have visited all of...

http://news.ycombinator.com/threads?id=USERNAME

http://news.ycombinator.com/submitted?id=USERNAME

http://news.ycombinator.com/saved?id=USERNAME

http://news.ycombinator.com/user?id=USERNAME

...is USERNAME. So another exploit -- still sneaky but not quite fraudulent, and not especially unique to HN -- would be to design an offsite page that does one or both of (1) greets HN users by name upon their visit; (2) logs which of some chosen set of HN users has visited the page.

tlrobinson17y ago

True. You'd still need to brute force USERNAME, but it's much faster to do that in JavaScript than issuing a million HTTP requests.

gojomo17y ago

If by 'brute force' you mean 'iterate through all legal usernames', I hadn't even thought of that!

I would expect someone instead to pick the leaderboard, or some other extant set of names (eg: Google [site:news.ycombinator.com inurl:user]), and just iterate over those.

(Sad aside: try that query at Google or Yahoo, and review the top 100 results. An awful lot of the usernames ranking highest are drug names.)

ajju17y ago· 2 in thread

Well done, you proved two things: 1) that you can write script that does an http get and 2) that you should not be trusted.

Was that a net gain for you?

criticOP17y ago

For the record, I'm not xach. I just saw this on Programming Reddit.

Edit: link http://www.reddit.com/r/programming/comments/854w0/faking_vo...

ajju17y ago

OK. I direct my comment at xach (since I can't edit it any more).

tptacek17y ago· 2 in thread

Am I wrong, or is this just saying HN is CSRF-able? There are commerce apps that are still CSRF-able. And this is a comparatively clumsy attack, since there's no trivial way to get your username blindly.

tlrobinson17y ago

Yes, I think it's considered CSRF, but indeed it's not as bad as it could have been, since it still requires you know the username of the logged in user.

It's also nowhere near as bad as the state of the Twitter API and apps, which require a username and password. People don't think twice about providing unlimited access to their Twitter account to random websites. Hopefully the OAuth API will fix that.

@pg: I think one solution would be to reject any vote requests with a Referrer header other than news.ycombinator.com

tptacek17y ago

Referer is totally insecure.

If all it is is votes, I say the right solution is "let it go".

ericwaller17y ago

It's worth having a link to http://en.wikipedia.org/wiki/Cross-site_request_forgery

Something to think about for your own applications

asdflkj17y ago

Some context:

http://www.reddit.com/r/programming/comments/67gu9/take_the_...

j / k navigate · click thread line to collapse