ccarpenterg 14 years ago

Nice hack! We should call it 'Same-site request forgery'.

ssclafani 14 years ago

I emailed PG about this a week ago, his response:

"It just seems to."

Normally loading the vote URL directly doesn't work because votes that don't have a HN referrer don't get counted. By submitting the URL to HN and getting people to click through a HN referrer gets sent making the votes look legitimate.

citricsquid 14 years ago

I had always assumed this was impossible because my votes have an auth key attached. Does this mean that the auth key is not used and is just there to trick casual observers into thinking there is security?

    vote?for=3742852&dir=up&by=citricsquid&auth=478876d54494692615d9f2ca184fa9fab2fb9ff7&whence=%69%74%65%6d%3f%69%64%3d%33%37%34%32%37%34%32
  • kwamenum86 14 years ago

    I'm guessing this security hole is a regression because I could have sworn I tried this before. But I don't remember for certain.

  • jpulgarin 14 years ago

    That parameter is absent when you're not logged in.

  • wglb 14 years ago

    This is for the comment votes; it looks like the vote for articles doesn't have a token.

carbocation 14 years ago

PG could start using POST & CSRF protection to lock this down. Or we could just avoid doing this to each other.

  • daeken 14 years ago

    CSRF protection is the right way to solve this. Switching to POST doesn't provide any real protection; an attacker can simply put up a form that autosubmits to the endpoint with POST.

    • Bakkot 14 years ago

      CSRF couldn't stop this particular attack, since it's not actually cross-site. You need to guard against both.

      • daeken 14 years ago

        I think you misunderstand what CSRF protection does. It doesn't have anything to do with same-origin security, but rather preventing request forgery attacks in general. If a CSRF token was present on requests and was tied to a user's session (as is standard), then that would absolutely defend against this attack.

        • marshray 14 years ago

          Wonder if you could get around that by submitting a javascript: link.

          • daeken 14 years ago

            As far as I can tell, only http(s) links are accepted by the submission form.

  • freehunter 14 years ago

    Or we could just avoid doing this to each other.

    Security through obscurity?

    • tryeng 14 years ago

      Nope. Security through niceness and ethics. If everyone was in on it we would have a really great society.

      • dshah 14 years ago

        I don't think anyone would contest that good behavior would be good for society. But, it's not a practical expectation, because the probability of everyone exhibiting good behavior is vanishingly small.

      • freehunter 14 years ago

        That is exactly security through obscurity. If you're relying on people being nice enough to not exploit you (no matter how difficult it is), you have no security at all.

        Let's say everyone on HN was nice enough to not use exploits. Might be possible. But then one person does a drive-by exploit, and BAM. Everyone but one person is nice enough to not exploit people.

        Just because you wish people were nice doesn't make them nice.

        • tryeng 14 years ago

          No, it's just lack of security. There's no obscurity involved at all.

          (And, if there was any doubt, we should of course not count on people being nice on the internet.)

  • city41 14 years ago

    > Or we could just avoid doing this to each other.

    Hacker News has grown dramatically. The "Hacker News effect" is now significant and often considered valuable. If there is an exploit that makes it possible, people will use it.

deadmike 14 years ago

An interesting bug, but if anything won't it just earn you fake points on a website, while making everyone on that website hate the account that's accruing the points, essentially making those "hacked" points' meaning moot anyway?

staunch 14 years ago

I saw this but don't really consider it much of a problem. It's the kind of thing that you can't really exploit. It'd be obvious if you really tried to use it for evil and then PG would kill your account.

  • TomGullen 14 years ago

    If HN has some sort of redirect to any URL page (eg, redirect.ashx?url=http://www.google.com I don't know if HN does but a lot of sites do in some form) then it could be exploited possibly

  • kwamenum86 14 years ago

    Not necessarily. You could make the CSRF request on, for example, 80 percent of the views to make it look legit. You could even take a more sophisticated approach and start by automatically upvoting for 100 percent of logged in users just to get on the front page and dampening once your story rises in the rankings.

    • staunch 14 years ago

      And if any users notice your account and domain are banned. Not saying it shouldn't be fixed but I doubt you would have much luck exploiting this at any scale.

rickdale 14 years ago

Is that how this story became number 1 without a pg comment? If this was serious you would think pg would have commented.

goo 14 years ago

I'm fairly certain that unless the referer is the "new" page, it counts negatively toward the story's promotion.

  • MichaelApproved 14 years ago

    The #1 post on HN is exploiting this and it's working just fine.