top | item 8604586

Tell HN: Hacker News Profile Leak (Fixed)

170 points| kogir | 11 years ago

Under certain error conditions, a bug in our API code briefly published 84 users' usernames, email addresses, password hashes, and 100 most recent votes. This information appeared at https://hacker-news.firebaseio.com/v0/updates. We notified affected users on Monday, November 10th via email and (for users without email addresses in their profile) on Tuesday the 11th via a message in the site header.

Affected profiles were leaked on one of 10/12, 10/20, or 11/02. In every case, the leaked data was overwritten 30 seconds later by the subsequent update batch. The leaked password hashes were salted bcrypt (FreeBSD's default libcrypt implementation). Though we think the risk is low we encouraged affected users to change their password on HN as well as on any other sites where they used the same password.

Many thanks to Ovidiu Toader for alerting us to the bug and for sending us examples that assisted us in tracking it down. While the bug was fixed on Sunday, November 9th within minutes of our becoming aware of it, Ovidiu originally reported the issue one week prior - we just didn't see it in a timely manner.

To help improve our future response times, we've created a dedicated reporting address, [email protected] that we'll publish on our contact form. We're also creating a "Wall of Fame" to properly thank and credit past and future vulnerability reporters. More details will follow.

Super sorry about this,

The Hacker News Team

(Edit)

A clarification, since some people seem to be misunderstanding: Only publicly available data is intentionally pushed to Firebase. That any part of a user's profile other than their username, account age, about text, and list of submitted items was published IS THE BUG, and is now fixed.

62 comments

[+] sillysaurus3|11 years ago|reply

100 most recent votes

This has me curious. Why 100? Why not 0 or all? 100 seems to indicate you're aggregating the 100 most recent votes for some specific purpose, and that the feature unintentionally leaked the data.

I wonder if mods have the ability to go to a page, type in a username, and see the 100 most recent things they've upvoted/downvoted? I guess as a way of looking for voting rings?

I often upvote comments I feel are unfairly downvoted, definitely not because I agree with the comment. Hopefully vote history isn't being used as a metric of character. Then again, maybe it's a useful filter. I've often wished Reddit would drag down comments from people who upvote angry bully-type comments from other people, so there might be all kinds of interesting ways "100 most recent votes" could be used.

[+] kogir|11 years ago|reply

100 was picked because it's a large round number. We need vote history to show vote arrows correctly, and for performance reasons we try to avoid loading entire vote files.

[+] yzzxy|11 years ago|reply

I would bet on technical reasons. From what I've read HN uses some unusual caching and optimization strategies - part of how the Arc application was optimized after initial development. I have no idea if this is the case here but it seems plausible - there is (outdated) source available[0] so you may be able to take a look for yourself.

[0] Mirrored at https://github.com/wting/hackernews

[+] SCdF|11 years ago|reply

> The leaked password hashes were salted bcrypt (FreeBSD's default libcrypt implementation).

As bad as data leaks are, it's at least nice to see one of these data leak stories where the passwords were actually stored correctly, instead of being MD5 / plaintext / base64.

[+] lucb1e|11 years ago|reply

> one of these data leak stories where the passwords were actually stored correctly

The reason we see so few hacks where passwords were stored properly might be because they do things properly, so odds are lower they get hacked in the first place. Just a thought.

[+] baudehlo|11 years ago|reply

Be nice to know the number of rounds used though - the default of 10 in most implementations is starting to become not enough.

Also bcrypt does not seem to be FreeBSD's default libcrypt implementation from the source code [1] - it appears to be DES (or SHA512 if DES isn't available). What makes HN think it's bcrypt? @kogir?

[1] https://github.com/freebsd/freebsd/blob/master/lib/libcrypt/...

[+] MalcolmDiggs|11 years ago|reply

Shit happens, we're all human. All you can do is learn from it. Thanks for setting up that dedicated reporting address, and for being transparent about the incident.

[+] danso|11 years ago|reply

I was pretty amused to see the notification come across my email...I never get to part of the fun hacks, and also, I randomize my password to make it hard to log back in (without searching for the text file I've buried it in) when I've logged back out...so no big loss. I know the email asked us to not say anything about it until everyone was properly notified but I was pretty surprised no one blurted it out anyway, this being HN and the lively discussions we have about hack incidents.

[+] voska|11 years ago|reply

This is a perfect example of how security venerabilities should be disclosed.

• Quickly • Transparently • With a fix already in place

[+] tokenadult|11 years ago|reply

I was one of the lucky users. I was on the road (coming back from a family funeral in rural Kansas) at the time the email was sent, so I was barely on my cell phone network enough to see the email, and wasn't near my desktop computer where I usually do all my password changes. But I only use my password for any given site on that site itself, and I have now reset my Hacker News password, so all's well that ends well. Thanks to the HN team for fixing the bug and for notifying the users affected by the bug.

[+] ncallaway|11 years ago|reply

Just wanted to thank the HN team for a responsible disclosure.

It's never fun to be on the receiving end of these e-mails, but the HN leak e-mail was the most responsible data-leak notification I've received.

Thanks for being professional and responsible!

[+] Someone1234|11 years ago|reply

So why was that data pushed "randomly" into the updates queue? Or put another way why was it random rather than happening all of the time?

[+] kogir|11 years ago|reply

Had it happened in all cases, I'd have noticed it (I hope!) before pushing it to the live site.

This was a case of rare error handling having unintended side effects. The profiles were only published in one very unlikely case.

[+] undrcvr-lagggal|11 years ago|reply

Wow if HN can't even get this right, it's no wonder so many fortune 1000 and fortune 100 companies are compromised so often. Information wants to be free. Secure programming requires thorough discipline.

[+] jacquesm|11 years ago|reply

From the data leaked it sounds like HN is exporting a lot more than it should.

[+] kogir|11 years ago|reply

Well, yes. That was the bug that was fixed.

[+] wslh|11 years ago|reply

Is there a prize for the 84 users? even symbolic...

[+] louthy|11 years ago|reply

As one of the 'winners' I'm just happy that everything was hashed and salted correctly.

[+] brianbarker|11 years ago|reply

I won, too. HN could remove all the undeserved downvotes I get ;).

[+] spolu|11 years ago|reply

Hey, how come this is not yet on the homepage? my last post is weirdly stuck in newest as well... Any pb with the posts are picked up for homepage?

[+] dang|11 years ago|reply

You can't derive the front page or an individual story's rank from the displayed score and timestamp alone. That's on purpose, as an anti-gaming measure.

I'm going to mark this subthread off-topic now. If you have questions like this, please don't post them here, but rather email [email protected], as the guidelines ask.

[+] opendais|11 years ago|reply

"Please put a valid address in the email field, or we won't be able to send you a new password if you forget yours. Your address is only visible to you and us. Crawlers and other users can't see it."

Welp, I'm taking my email out.

[+] kogir|11 years ago|reply

Make sure never to commit to a public git repo either.

(Edit)

In all seriousness though, we're really bummed this happened and wish it hadn't. We do code reviews and try our best to prevent this kind of thing from happening. That said, if you truly want your account here to be anonymous, you're right to remove all personally identifiable information. I'd also recommend using tor (and using it correctly).

[+] iLoch|11 years ago|reply

What's the problem?