WingNews logo WingNews GitHub [2]
top | item 3742902

Show HN: This up votes itself

3531 points| olalonde | 14 years ago |news.ycombinator.com | reply

82 comments

order
[+] naz|14 years ago|reply
This is why you shouldn't allow GET for performing actions. An image tag in an article could do the same thing (e: if it didn't check the referrer).
[+] kijin|14 years ago|reply
It's trivially easy to forge POST requests, too.

What's really needed is a token (nonce) that is tied to the session. That's like CSRF Prevention 101.

[+] olalonde|14 years ago|reply
Someone in the other thread pointed out it at least checked the referrer header.
[+] akavi|14 years ago|reply
It's amusing watching the vote count skyrocket upward as the curious click on it. It's getting more than a vote a second.

Side Note: I've always wondered why HN doesn't let you reneg on your upvote. I imagine this would have a good deal fewer votes if people could.

[+] cs702|14 years ago|reply
This looks set to become the all-time #1-ranked submission soon. Compare it to other top-ranked submissions here: http://www.hnsearch.com/search#request/all&q=+&sortb...

[EDIT: corrected link. Thanks ma2rten!]

[+] akavi|14 years ago|reply
That list is clearly not comprehensive (For example, there were multiple Steve Jobs related submissions that got over 1000 points).
[+] numlocked|14 years ago|reply
An interesting side effect may be to drive registrations, as it will appear to non logged-in users that they have to create an account before viewing the #1 item.
[+] im3w1l|14 years ago|reply
The amount of people proposing POST as a solution, shows the need for this subject to be lifted. There are methods for auto-posting you know...
[+] getsat|14 years ago|reply
POST alone isn't sufficient. You need CSRF protection, too (which, in this case, would protect from same-site request forgery).
[+] dustingetz|14 years ago|reply
is OP a mod? how did he know what his postid would be before he submitted it? spraying [sequential] submissions all at once?

[edit]

[+] citricsquid|14 years ago|reply
IDs are sequential, you can predict them with ease. For example (without editing) I can tell you my comment ID (for this comment) will be: 3743005

(edit: nope, I was 3 off, you get the point though, apparently a lot of people are commenting at the moment, ha)

[+] icebraining|14 years ago|reply
Aren't they sequential? Isn't it just a matter of using the ID of the latest post + 1?
[+] SeoxyS|14 years ago|reply
Couldn't he have edited the url after posting it?
[+] GreekOphion|14 years ago|reply
I was trying to figure that out too.
[+] dsrguru|14 years ago|reply
If allowed to continue without intervention or a bug fix, this thread will stay at the top of HN forever.
[+] patrickod|14 years ago|reply
Interesting. It's almost like a view counter for the article
[+] Vaanir|14 years ago|reply
Yep, it was 130 as I read this comment. Going over 140 now. Click click click..
[+] guynamedloren|14 years ago|reply
A clever, temporary solution to this would be to change the link to downvote the article and watch it trickle back to zero. Do it, pg!
[+] ma2rten|14 years ago|reply
Genius plan, except that there is no downvote for submissions ...
[+] zt|14 years ago|reply
When I saw the first one of these, I thought to myself that the front-page wouldn't be overwhelmed by these posts. The whole reason most of us are here is that it is a mature community. As the first post was enough to prove the point, why did OP post it again? (S)He apologize and give credit to "http://news.ycombinator.com/item?id=3742742 (GreekOphion) for finding the bug", but why make the post at all? What good does it do? "I would send you the karma if I could!" just seems disingenuous.
[+] cs702|14 years ago|reply
zt: maturity has nothing to do with this. Hackers appreciate clever hacks, especially those that are self-referential. That's all there is to it.
[+] kaybe|14 years ago|reply
A slightly unrelated question: What's up with those non-votable non-commentable recruiting links that have been up on the front page recently? Was that another bug exploit?
[+] chucknthem|14 years ago|reply
Those links are usually recruiting links for YC companies allowed by PG.
[+] donw|14 years ago|reply
Bonus points for pointing out the bug, and not using it as a way to blast some rubbish marketing to the front page.
[+] bigiain|14 years ago|reply
I can't help but wonder if someone discovered this before, and realised they'd need to put some sort of throttling in place to keep it under the radar…

(Maybe _that_ explains why so many TechCrunch articles make the front page?)

[+] benatkin|14 years ago|reply
I took care to click comments.
[+] Garthex|14 years ago|reply
I'm curious as to whether this post will ever leave the front page. If it keeps getting points at an alarming rate, is there anything in the algorithm to eventually lower the ranking?
[+] dbh937|14 years ago|reply
Moderators might take it off.
[+] sams99|14 years ago|reply
so, we have 3 of these now ... on the front page ... I guess this is a side effect of the community not having anywhere to submit bugs to
[+] MichaelApproved|14 years ago|reply
Looks like it was removed from the front page by someone. Fun while it lasted...
[+] liamk|14 years ago|reply
This could become the most voted up submission of all time.