Not cool. We deliberately don't put that much effort into security, because this is a community based on trust, not a bank. And by choosing to publish this rather than e.g. simply sending me an email about it, he's inviting people to do this.
I think a lot of people are missing the point here. Sure what he did wasn't "cool" since it deceived users who are part of a community that is based on trust and responsibility. But he found a potential exploit and instead of using it irresponsibly he brought it to the attention of the community. Maybe the right thing would have been to contact PG. Maybe he takes lessons from the Windows world of bugs... If it's not made public for exploitation, it may never get fixed.
In my opinion this should be looked at as a learning experience for web developers. We need to take these issues/exploits into account when building websites. I'm pretty sure PG accounts for XSS attacking, no? If we trust each, shouldn't we trust each other enough not to post malicious code? Unfortunately it just doesn't work like that. Security by obscurity is never the answer!
As much as this was done irresponsibly, is a fix planned for this? CSRF is, by now, a widely investigated field of web application development; most of the mystery is gone. To borrow a term from The Old New Thing, it's one of the taxes everybody has to pay.
This is not how the community functions however. The community functions by being made up of a group of people who believe in courtesy. It is not vulnerable to any sort of software hack, instead it is vulnerable to the slow drift towards thoughtlessness.
That's kind of the point, nothing was said that wasn't already public available information, yet people got angry at Xach for saying it.
The lack of trust is not trusting the community not to abuse an explained hack, and the whole is made dumb by the fact that anyone can figure out the hack for themselves even if it wasn't explained to them.
It was an interesting manipulation of the system, but as pointed out it's a dangerous slope. A community based on trust will sour very quickly if a lot of these tricks pop up.
Sharing the trick is entirely reasonable: small hacks like this are something to be proud of, given that you've acted in a reasonable way (e.g. contacted the site and informed them before telling others, not actually using it game the system, etc.)
Hackers should know how to secure their own website. Between this and the JS injection hack (from the same fellow), it's clear that security is porous at best.
As a kid I never understood why some of the kinds made it a hobby to trash the sandcastles built by the others. It was an interesting phenomenon to watch :)
Maybe they thought that if they wanted to, they can do better, but they never did.
Or maybe it's a cop-out to say that you didn't care about your sand castle's security in the first place. If you knew of a way to keep it from getting knocked over, you'd use it.
I'm sick of security. I wish we could make things without worrying about the myriad ways there are to destroy a thing?
What did xach have to gain by doing this experiment that he would have lost by emailing PG quietly, beyond the childish feeling of destroying a good thing?
Really though, this is such a simple attack you'd think that it would be protected against. Any argument about "trust" is irrelevant due to the frustratingly simple way this system has been gamed. Usernames, that's it? I'm surprised this didn't happen sooner.
Not hilarious if we start getting swamped with budding script kiddie attacks. This is a nice community, it would be great if we didn't start attracting that type of attention.
You wouldn't necessarily need someone to volunteer their username to make this work. This unfixed and ancient (2002!) browser vulnerability leaks information, via the styling of 'visited' links, about other URLs you've visited:
...is USERNAME. So another exploit -- still sneaky but not quite fraudulent, and not especially unique to HN -- would be to design an offsite page that does one or both of (1) greets HN users by name upon their visit; (2) logs which of some chosen set of HN users has visited the page.
If by 'brute force' you mean 'iterate through all legal usernames', I hadn't even thought of that!
I would expect someone instead to pick the leaderboard, or some other extant set of names (eg: Google [site:news.ycombinator.com inurl:user]), and just iterate over those.
(Sad aside: try that query at Google or Yahoo, and review the top 100 results. An awful lot of the usernames ranking highest are drug names.)
Yeah, I meant brute force over all registered usernames. I wrote a page that used the vulnerability you mentioned to check to see if a user has visited any of the top 100,000 websites: http://tlrobinson.net/misc/history.html (it seems to be broken now though) and it can churn through 100,000 tests in a few seconds.
I fell for the trickery(admittedly my mistake for trusting an unknown website) and submitted my user name, expecting to receive a graph like the page promised.
However, as pg already pointed out it was totally uncool not notifying him before making it public. I am in the support of full but responsible disclosure. So maybe he could have published it after informing pg and the issue was taken care of.
Taking it public is a fix. Now that this information is public none of us will give out our usernames to external websites, thus ending the problem. In effect Xach's could decide between emailing someone hoping they fix the problem, or just fixing it.
I found this whole event funny. I'm also amused that people reacted as negatively to this prank as middle managers at my old $MEGACORP job would.
Now that this information is public none of us
will give out our usernames to external websites,
thus ending the problem.
Correct me if I'm wrong, as I'm NOT a web guru, but I think there are three ways to get the user names, and it's enough if this only works in some cases:
(1) Brute force (look at who's currently active on the site)
(2) Look at browser history (HN users have to constantly look at their own profile to check for replies, and the URL contains their user name)
(3) Send whatever request the browser sends to HN normally, and gets the user name embedded in the page.
Again, I don't know enough about browsers/JS/HTTP/HN to know if any of the above would work. I'm just saying I'm not sure that explicitly giving out your user name is required for this.
> none of us will give out our usernames to external websites
Maybe so, but in the case of Twitter, not many people seemed to learn their lessons - and there people were giving away their usernames and passwords.
> decide between emailing someone hoping they fix the problem, or just fixing it
But you do not know if a vendor will fix the problem as soon as you report it to them, even if they already have a past history of not caring. the balance here is responsible disclosure: maybe it's a big enough issue or maybe the right person noticed that your problem will get fixed when you first let them know..in the event you feel you are ignored though, go public. best of both worlds.
> I found this whole event funny.
I don't think it's funny or angering. It's probably educational, as more people learn what CSRF is and it's probably a little annoying in that not as many people are discussing responsible disclosure, but there's not much to get angry about. Votes? big deal....
What's really stupid about all this is that I give fellow users on this site a little bit of trust because I know that many times, they would like advice or help with their projects, or conversely, they have stumbled on something I can learn.
So I don't worry too much about giving my user name out, or entering it into other HN members' apps. I did it, and I'm not worried about it really. It's not like run4yourlives is my bank id or anything.
What bothers me about the whole thing though is that I've now had it confirmed that HN is too big to trust anymore. Whereas before, there was a sense of kinship with people here - none of whom I've ever met - I now have to worry that some of them are just losers looking to exploit my trust.
That's worse than off topic posts and low quality comments really. It's an attack on the fabric of the community, and the value of the users. It's clear now that I must treat HN as I would treat reddit or digg or any other room full of potential idiots; people who would much rather exploit trust than build it.
I don't feel like any trust was violated by xach in showing us this exploit. He clearly wasn't trying to be malicious, so I frankly don't understand all of these people who are so upset about this. It sounds like a lot of pointless whining.
Frankly, if anybody has violated our trust, it's whoever wrote this exploitable code. When I use a site, especially an open source one claimed to be written by good programmers, I expect it to be protected from well-understood exploits. And pg, as the caretaker of the code (and its likely author), needs to do some talking about how "not cool" running easily exploitable code is and take some responsibility.
1. It most certainly was malicious, if not in outcome, in intent. xach wanted to say "Look, you say you're a coder - look at me I'll show you." There were a multitude of ways he could have presented his case in a manner that would have been - frankly - much more mature.
2. This is pg's personal pet hobby. I don't think holding him responsible for every possible vulnerability is really all that practical, especially when the code is wide open. He's putting it out there with an element of trust that a hacker to be would actually provide a fix instead of being malicious. If xach was such a great positive influence, why didn't he provide a patch?
1. Perhaps we simply have different definitions of malicious. I don't even think it's possible to be malicious with info on HN, unless he were to try to get our passwords or something. I just don't think karma is something to get all upset about.
2. I don't care what this is to pg. If he doesn't want it to be cracked, then he should spend some hobby time doing what every decent web programmer knows to do. There is no "element of trust" on publicly available sites. Further, note that I have not made an argument that xach has been a "great positive influence" - only not a negative one
Honestly, what have you lost? Nothing. The truth is that you shouldn't be trusting a bunch of people you've never met ANYWAY. Nobody's asking you to give them your address or mother's maiden name, but you wouldn't give those out if asked by a fellow member anyway. You should always be wary of sites asking for your information for whatever reason, and just because you trust some of the people on HN doesn't mean there aren't tons more on here that could possibly deceive you.
People seem to react to this like like the record companies reacted to Napster. "OH NO! IT'LL KILL US ALL! Screw changing our ancient business model, we'll just SUE 'EM!"
Instead of updating the way you think about HN (and other sites) you choose to put down the person who enlightened you and cast him out as some sort of heretic.
Hackers INVENT, hackers BREAK STUFF, and hackers BRING OUT THE UGLY! Why is Xach getting martyred for being a real hacker?
Besides, he's giving HN huge publicity. Jeff Atwood twittered about this thread.
I don't know whether you've been paying much attention to some of the threads lately but HN is trying to maintain a particular feel. It's huge publicity that begins to erode HN and turn it into something that many of us would rather avoid.
"Huge publicity"... but it's already publicly advertised in many places, many big names are blogging/twittering about it, did you really expect everyone to ignore it? If it's got such a good feel to it, why can't everyone else get in on that?
So far all I've seen is elitism, both in comments I'm reading and the replies to my own (first) comment.
Hackers aren't supposed to like elitism. We're supposed to promote the sharing of knowledge, information, freely and openly, you know... because that's how the world should be. Or so we say. But I haven't seen that here. I've seen the typical elitist social community, with the people who've been here "longer" running the show aside from the admin.
Decided to end my thought there, it was running a little long...
How did I know you'd pull that card instead of just letting it go? It's so easy to pull that card, isn't it? Long time reader, first time poster. Please don't judge a book by it's hour-old cover.
Well, I think that a room full of idiots is an overstatement. An occasional idiot sure, but even that's beside the point - before this supposed decline of the community, you wouldn't have posted your credit card and social security numbers in the comments, no matter how much trust you placed here.
Am I wrong, or is this just saying HN is CSRF-able? There are commerce apps that are still CSRF-able. And this is a comparatively clumsy attack, since there's no trivial way to get your username blindly.
Yes, I think it's considered CSRF, but indeed it's not as bad as it could have been, since it still requires you know the username of the logged in user.
It's also nowhere near as bad as the state of the Twitter API and apps, which require a username and password. People don't think twice about providing unlimited access to their Twitter account to random websites. Hopefully the OAuth API will fix that.
@pg: I think one solution would be to reject any vote requests with a Referrer header other than news.ycombinator.com
AFAIK, checking the Referer header actually works for preventing CSRF because you can't modify it for the types of requests that work cross domain, i.e. loading <img>, <script>, etc tags, or posting forms.
