Search Explore
    • kylec · 14 years ago

      Enjoy your HN karma, I hope you're allowed to keep it!

      • GreekOphion · 14 years ago

        Wow, your getting more votes than I did.

        • Vaanir · 14 years ago

          If only the link you had in your OP was clickable..

          • yangez · 14 years ago

            He worded the post in a much more compelling way.

            • olalonde · 14 years ago

              "It's all about the execution", "Usability counts", "Ideas are worthless", yadda yadda... Joking aside, congrats on finding the bug. I would send you the karma if I could!

          • robertelder · 14 years ago

            lawl

            • patrickod · 14 years ago

              Interesting. It's almost like a view counter for the article

              • Vaanir · 14 years ago

                Yep, it was 130 as I read this comment. Going over 140 now. Click click click..

              • naz · 14 years ago

                This is why you shouldn't allow GET for performing actions. An image tag in an article could do the same thing (e: if it didn't check the referrer).

                • olalonde · 14 years ago

                  Someone in the other thread pointed out it at least checked the referrer header.

                  • simonw · 14 years ago

                    That's not a good enough solution - there are decent reasons that a referrer header might be missing (some PC antivirus software strips out referrer headers for example). The only safe way to handle this is with a POST request protected by a CSRF token tied to a cookie.

                    • hashbo · 14 years ago

                      +1 You can’t trust the Referer header.

                      • jpablo · 14 years ago

                        GET with randomized ids and checking referrer should be good enough to keeps things simple.

                      • ben0x539 · 14 years ago

                        Really? I block the referer header so I guess all my upvotes haven't been counted. :(

                        • danielrm26 · 14 years ago

                          The referer header is also controlled by the client. Anything controlled by the client should be considered tainted.

                          • jbri · 14 years ago

                            This doesn't really apply when you are trying to verify whether the client actually performed some action.

                            In a CSRF scenario, the client itself can presumably be "trusted" - A client behaving maliciously can only hurt itself, not any one else. The important thing is to not trust anything that may have been provided by a third party.

                        • kijin · 14 years ago

                          It's trivially easy to forge POST requests, too.

                          What's really needed is a token (nonce) that is tied to the session. That's like CSRF Prevention 101.

                          • rabidsnail · 14 years ago

                            Or xhr with custom header, if you don't want to have to keep track of state.

                              • kijin · 14 years ago

                                So that anyone who has JavaScript disabled will be treated like an attacker? No thanks, HN is one of very few sites nowadays that work fine without JavaScript tricks, and I'd much rather PG kept it that way.

                              • Udo · 14 years ago

                                In this specific case merely forging a POST request externally does nothing as the user has to be signed in for this to work. Thus, restricting actions such as voting to POST (and restricting to same-origin) does constitute adequate protection if there is no XSS vulnerability on the site.

                                • simonw · 14 years ago

                                  But if the user IS signed in (and if someone arrives at your site from a link on Hacker News there's a very good chance they will be signed in) a POST forged from your site can affect their session. Read up on CSRF - it's a very different vulnerability from XSS (though having an XSS vulnerability will make any CSRF protection you have in place null and void).

                                  http://en.wikipedia.org/wiki/CSRF

                                  • Udo · 14 years ago

                                    Don't be so condescending, you didn't read my entire post. To quote myself:

                                      > POST (and restricting to same-origin)
                                    
                                    I still don't think it's possible to forge the referer header on an uncompromised browser.
                                • akavi · 14 years ago

                                  It's amusing watching the vote count skyrocket upward as the curious click on it. It's getting more than a vote a second.

                                  Side Note: I've always wondered why HN doesn't let you reneg on your upvote. I imagine this would have a good deal fewer votes if people could.

                                  • johndoeee · 14 years ago

                                    You can also secretly iframe it, always wondered if someone did it.

                                    Also a good example of why you need to use POST for stuff like this :)

                                    • minikomi · 14 years ago

                                      I wouldn't usually do this but.. so brave

                                      • donw · 14 years ago

                                        Bonus points for pointing out the bug, and not using it as a way to blast some rubbish marketing to the front page.

                                        • bigiain · 14 years ago

                                          I can't help but wonder if someone discovered this before, and realised they'd need to put some sort of throttling in place to keep it under the radar…

                                          (Maybe _that_ explains why so many TechCrunch articles make the front page?)

                                          • avree · 14 years ago

                                            You can see what it's doing in the URL. You don't see that in other submission URLs.

                                            • unimpressive · 14 years ago

                                              You could send it to a link which is hooked to a script that swaps the links for one in ten views or what have you. The extra benefit of that approach is that you don't have to worry about getting the submission ID right when submitting. You can just edit it on your server retroactively.

                                              Not that I'd ever be crazy enough try this for real of course.

                                              EDIT: According to posts I've read the votes aren't valid if the referrer isn't Hacker News. So the only thing possible is what's on display.

                                              • graylights · 14 years ago

                                                You can see it in the url here because he wasn't trying to hide it. He could have linked to a blog post containing a hidden element that does the get (after checking if the referer is HN).

                                          • Finbarr · 14 years ago

                                            I wonder if this has been manipulated in the past.

                                            • JeremyBanks · 14 years ago

                                              I think I remember seeing a post just like this a couple of years ago, after which the bug was fixed. I wonder if there was a regression or if this is somehow different.

                                            • reason · 14 years ago

                                              You are ruining the sanctity of karma.

                                              Edit: Lotsa serious folks on tonight.

                                              • im3w1l · 14 years ago

                                                The amount of people proposing POST as a solution, shows the need for this subject to be lifted. There are methods for auto-posting you know...

                                                • getsat · 14 years ago

                                                  POST alone isn't sufficient. You need CSRF protection, too (which, in this case, would protect from same-site request forgery).

                                                • sams99 · 14 years ago

                                                  so, we have 3 of these now ... on the front page ... I guess this is a side effect of the community not having anywhere to submit bugs to

                                                    • akavi · 14 years ago

                                                      That list is clearly not comprehensive (For example, there were multiple Steve Jobs related submissions that got over 1000 points).

                                                        • cs702 · 14 years ago

                                                          Still, much better than what I got with /over?points= ...

                                                    • dustingetz · 14 years ago

                                                      is OP a mod? how did he know what his postid would be before he submitted it? spraying [sequential] submissions all at once?

                                                      [edit]

                                                      • GreekOphion · 14 years ago

                                                        I was trying to figure that out too.

                                                        • citricsquid · 14 years ago

                                                          an ID can refer to a comment or a link, you can find the latest comments: http://news.ycombinator.com/newcomments latest links: http://news.ycombinator.com/newest

                                                          The easiest way to do it would be to pick an ID in the future (say 20 ahead of the latest one) then type the title and link out, then just keep refreshing the page for your selected ID minus one (for example, if your chosen ID is 3743040 refresh news.ycombinator.com/item?id=3743039) until you get a result then hit submit, if you're not too slow you'll get the ID 3743040.

                                                        • citricsquid · 14 years ago

                                                          IDs are sequential, you can predict them with ease. For example (without editing) I can tell you my comment ID (for this comment) will be: 3743005

                                                          (edit: nope, I was 3 off, you get the point though, apparently a lot of people are commenting at the moment, ha)

                                                          • youareincorrect · 14 years ago

                                                            Confirmed.

                                                            • olalonde · 14 years ago

                                                              Yes, that's how I did it. Took me about 3 attempts.

                                                            • icebraining · 14 years ago

                                                              Aren't they sequential? Isn't it just a matter of using the ID of the latest post + 1?

                                                              • SeoxyS · 14 years ago

                                                                Couldn't he have edited the url after posting it?

                                                                • GreekOphion · 14 years ago

                                                                  No, that's impossible.

                                                                  • kenneth · 14 years ago

                                                                    Link it to a php file on your server, and edit the php file to header('Location: the_actual_url') after the fact.

                                                                    • d3ad1ysp0rk · 14 years ago

                                                                      That isn't what is happening though, hover over the link and its a direct link to HN.

                                                              • numlocked · 14 years ago

                                                                An interesting side effect may be to drive registrations, as it will appear to non logged-in users that they have to create an account before viewing the #1 item.

                                                                • sethbannon · 14 years ago

                                                                  Brilliant.

                                                                  • dsrguru · 14 years ago

                                                                    If allowed to continue without intervention or a bug fix, this thread will stay at the top of HN forever.

                                                                    • liamk · 14 years ago

                                                                      This could become the most voted up submission of all time.

                                                                        • palish · 14 years ago

                                                                          I exploited this about 5 years ago. (I think it was called "Startup News" back then, though!)

                                                                          http://news.ycombinator.com/item?id=27615

                                                                          I think you need to set "showdead" in your profile to see this. It got killed pretty quickly, but netted me ~150 karma which was amusingly nontrivial back then. And as a byproduct, I think I became the first "public member" to get a glimpse of Arc, which was closed-source at the time. I won't disclose how (since I haven't asked for permission to share the details) but it was pretty much one of the happiest days of my life, for some stupid reason. I was young and giddy and felt like I'd just won something special.

                                                                          To give you an idea of how ancient this is, check out the id of the thread -- only #27,615. Man, time flies when you're watching a community grow, eh? It's like watching a child mature over years -- into an increasingly-annoying version of themselves while slowly getting fatter and fatter over the years, of course. (I kid, I kid.)

                                                                          Bonus: I just now noticed that I'd gotten into a debate with Paul B in that thread. Hah. I was too cocky back then... I should have been listening and asking questions, not talking!

                                                                          Man, I miss those days so much. I never knew how rare they were until they were gone. Like, my girlfriend (now wife) and I went on vacation, during which we prototyped and launched a whole webapp in Rails 1.0! Who does that? Not me, anymore -- At least, not until I lose my day job like a bad case of music. Makes me wonder if I still have my old "hey, I'm 18 and ignorant of my own flaws!" level of productivity...

                                                                          ====

                                                                          EDIT: Oh, look. I have the attention of the majority of HN. Allow me to now exploit you:

                                                                          To whomever has read upto here: you hereby implicitly agree my EULA, in which you swear to enjoy each of your scientific pursuits with intensity and to your fullest degree; and sometimes even to a dangerous degree, if the mood carries you thus. Additionally, you agree to never allow an employer, family member, or any other authority to break your intrinsic spirit; for they have no means of dominating your spirit except that which you subconsciously allow them. You shall be true to yourself and to your own principles, regardless of society (though in privacy). You shall hereby refuse to believe any scientific statement as "true", however benign, except those in which you alone have proven to yourself to be true, by your own hand and evidence. (Though it doesn't hurt to check out what other people have to say on the subject, from time to time; in fact, it turns out to often be a more valuable course of action, for the careful analysis of a close friend can often reveal subtle flaws in your process and in your logic, while occasionally forcing you to re-evaluate your core reasoning for choosing that process in the first place, which always leads to the path of learning and thus improvement and satisfaction.) You agree to eventually die with no regrets. Let no one impose themselves upon your judgement without merit. You shall endeavor to enjoy life to the fullest extent of the law (where applicable), and to realize that money is merely a means, not an end unto itself. In your spare time, you shall research that which is impossible, but intriguing, in order to always have something to strive for, thereby improving your skill and your spirit. You shall follow your curiosity wherever it leads (but keep both eyes open for signs of danger).

                                                                          Most importantly: thou shalt enjoy every week, else thou shalt fix your life's situation regardless of how immutable it may seem.

                                                                          Go -- build something out of passion. Right now!

                                                                          • ma2rten · 14 years ago

                                                                            I found this a little bit ironic (no blame on pg, he does have more important things to do):

                                                                            pg 1744 days ago

                                                                            Ok, will fix.

                                                                              • srl · 14 years ago

                                                                                > Bonus: I just noticed I'd gotten into a debate with Paul B in that thread. Hah. I was too cocky back then... I should have been listening, not talking!

                                                                                OT but funny story: back when I was first getting into programming heavily (I had dabbled for about 4 years, but wasn't particularly good), I started learning perl, and got into a flame war on freenode with some random guy I had never seen on before (in the three times I had visited). It was weird - everybody sided with him, so strongly that I was really confused. His username was strange, too - something about "toady".

                                                                                Yup, I, a perl programmer of 2 weeks, got into a flame war with Larry Wall. Didn't realize it for years, until I saw his IRC nick mentioned somewhere else. Ouch.

                                                                                • swiecki · 14 years ago

                                                                                  >> EDIT: Oh, look. I have the attention of the majority of HN. Allow me to now exploit you:

                                                                                  Your edit is the best thing to come out of this entire ordeal. Thanks for not abusing your newfound fame :)

                                                                                  • benatkin · 14 years ago

                                                                                    I took care to click comments.

                                                                                    • guynamedloren · 14 years ago

                                                                                      A clever, temporary solution to this would be to change the link to downvote the article and watch it trickle back to zero. Do it, pg!

                                                                                      • ma2rten · 14 years ago

                                                                                        Genius plan, except that there is no downvote for submissions ...

                                                                                        • MichaelApproved · 14 years ago

                                                                                          I thought tere was a downvote for users with a high enough level of points.

                                                                                          • guynamedloren · 14 years ago

                                                                                            Appears as though this may exist for comments only - not submissions. Though I wonder if a link would work just the same?

                                                                                            • lotharbot · 14 years ago

                                                                                              Only for comments. Submissions can be flagged, but not downvoted.

                                                                                        • kaybe · 14 years ago

                                                                                          A slightly unrelated question: What's up with those non-votable non-commentable recruiting links that have been up on the front page recently? Was that another bug exploit?

                                                                                          • chucknthem · 14 years ago

                                                                                            Those links are usually recruiting links for YC companies allowed by PG.

                                                                                            • bostonvaulter2 · 14 years ago

                                                                                              Those are ads for Y-Combinator companies

                                                                                              • zt · 14 years ago

                                                                                                When I saw the first one of these, I thought to myself that the front-page wouldn't be overwhelmed by these posts. The whole reason most of us are here is that it is a mature community. As the first post was enough to prove the point, why did OP post it again? (S)He apologize and give credit to "http://news.ycombinator.com/item?id=3742742 (GreekOphion) for finding the bug", but why make the post at all? What good does it do? "I would send you the karma if I could!" just seems disingenuous.

                                                                                                • cs702 · 14 years ago

                                                                                                  zt: maturity has nothing to do with this. Hackers appreciate clever hacks, especially those that are self-referential. That's all there is to it.

                                                                                                • Garthex · 14 years ago

                                                                                                  I'm curious as to whether this post will ever leave the front page. If it keeps getting points at an alarming rate, is there anything in the algorithm to eventually lower the ranking?

                                                                                                  • dbh937 · 14 years ago

                                                                                                    Moderators might take it off.

                                                                                                  • dbh937 · 14 years ago

                                                                                                    This is staying as #1 for a while.

                                                                                                    • MichaelApproved · 14 years ago

                                                                                                      Looks like it was removed from the front page by someone. Fun while it lasted...