Show HN: A Way To Hack HN's Karma
37 comments
What is the link?
[deleted]
If you go to this submission and click it, it up-votes this:
http://news.ycombinator.com/item?id=3742745
[deleted](1)
PG could start using POST & CSRF protection to lock this down. Or we could just avoid doing this to each other.
CSRF protection is the right way to solve this. Switching to POST doesn't provide any real protection; an attacker can simply put up a form that autosubmits to the endpoint with POST.
CSRF couldn't stop this particular attack, since it's not actually cross-site. You need to guard against both.
I think you misunderstand what CSRF protection does. It doesn't have anything to do with same-origin security, but rather preventing request forgery attacks in general. If a CSRF token was present on requests and was tied to a user's session (as is standard), then that would absolutely defend against this attack.
Or we could just avoid doing this to each other.
Security through obscurity?
Security through obscurity?
Nope. Security through niceness and ethics. If everyone was in on it we would have a really great society.
I don't think anyone would contest that good behavior would be good for society. But, it's not a practical expectation, because the probability of everyone exhibiting good behavior is vanishingly small.
That is exactly security through obscurity. If you're relying on people being nice enough to not exploit you (no matter how difficult it is), you have no security at all.
Let's say everyone on HN was nice enough to not use exploits. Might be possible. But then one person does a drive-by exploit, and BAM. Everyone but one person is nice enough to not exploit people.
Just because you wish people were nice doesn't make them nice.
Let's say everyone on HN was nice enough to not use exploits. Might be possible. But then one person does a drive-by exploit, and BAM. Everyone but one person is nice enough to not exploit people.
Just because you wish people were nice doesn't make them nice.
No, it's just lack of security. There's no obscurity involved at all.
(And, if there was any doubt, we should of course not count on people being nice on the internet.)
(And, if there was any doubt, we should of course not count on people being nice on the internet.)
> Or we could just avoid doing this to each other.
Hacker News has grown dramatically. The "Hacker News effect" is now significant and often considered valuable. If there is an exploit that makes it possible, people will use it.
Hacker News has grown dramatically. The "Hacker News effect" is now significant and often considered valuable. If there is an exploit that makes it possible, people will use it.
Nice hack! We should call it 'Same-site request forgery'.
I saw this but don't really consider it much of a problem. It's the kind of thing that you can't really exploit. It'd be obvious if you really tried to use it for evil and then PG would kill your account.
If HN has some sort of redirect to any URL page (eg, redirect.ashx?url=http://www.google.com I don't know if HN does but a lot of sites do in some form) then it could be exploited possibly
Not necessarily. You could make the CSRF request on, for example, 80 percent of the views to make it look legit. You could even take a more sophisticated approach and start by automatically upvoting for 100 percent of logged in users just to get on the front page and dampening once your story rises in the rankings.
And if any users notice your account and domain are banned. Not saying it shouldn't be fixed but I doubt you would have much luck exploiting this at any scale.
I had always assumed this was impossible because my votes have an auth key attached. Does this mean that the auth key is not used and is just there to trick casual observers into thinking there is security?
vote?for=3742852&dir=up&by=citricsquid&auth=478876d54494692615d9f2ca184fa9fab2fb9ff7&whence=%69%74%65%6d%3f%69%64%3d%33%37%34%32%37%34%32I'm guessing this security hole is a regression because I could have sworn I tried this before. But I don't remember for certain.
That parameter is absent when you're not logged in.
This is for the comment votes; it looks like the vote for articles doesn't have a token.
Is that how this story became number 1 without a pg comment? If this was serious you would think pg would have commented.
I emailed PG about this a week ago, his response:
"It just seems to."
Normally loading the vote URL directly doesn't work because votes that don't have a HN referrer don't get counted. By submitting the URL to HN and getting people to click through a HN referrer gets sent making the votes look legitimate.
"It just seems to."
Normally loading the vote URL directly doesn't work because votes that don't have a HN referrer don't get counted. By submitting the URL to HN and getting people to click through a HN referrer gets sent making the votes look legitimate.
An interesting bug, but if anything won't it just earn you fake points on a website, while making everyone on that website hate the account that's accruing the points, essentially making those "hacked" points' meaning moot anyway?
Now that it's out there, I made a self up voting version: http://news.ycombinator.com/edit?id=3742902
Let's try not to ruin the Front Page with a bunch of these. I believe one is enough.
[deleted]
I'm fairly certain that unless the referer is the "new" page, it counts negatively toward the story's promotion.
The #1 post on HN is exploiting this and it's working just fine.
I don't want people to misuse this I just want to bring attention to this problem.
This is the link I used that up-votes this: http://news.ycombinator.com/vote?for=3742742&dir=up&...