Stealing identities on Hacker News

update The auth token on Hacker News now changes per link, so the description below is of historical interest only.

_________

There was a problem with Hacker News that allowed vote faking by constructing a special link.

The vote links looked something like this:

http://news.ycombinator.com/vote?for=814958&dir=up&by=jsteele&whence=news

It was possible to fake votes by tricking the user to enter their Hacker News username into a form. To fix the problem, a new auth parameter was added to every vote link. Now the vote links look like this:

http://news.ycombinator.com/vote?for=814958&dir=up&by=jsteele&auth=YQ6UDAAP&whence=news

The auth parameter is a per-user random token. If a user votes and the auth token doesn't match the server's auth value for that user, the vote is ignored.

The token value, as it turns out, is also used as the value of the user authentication cookie:

(def vote-url (user i dir whence)
  (+ "vote?" "for=" i!id
             "&dir=" dir
             (if user (+ "&by=" user "&auth=" (user->cookie* user)))
             "&whence=" (urlencode whence)))

If an attacker can get a logged-in Hacker News user to share a vote link, the auth parameter can be used in a cookie to act as the Hacker News user on the site. That means the attacker can vote, add comments, submit stories, change personal info, etc.

How to get a user to share that link? One way is to entice them with pretty pictures. Here's one possible approach:

Hacker News Story Trend Charts

The HNSTC project is for visualizing the popularity trend of any story at Hacker News. To start charting your favorite story, please copy and paste the vote link in the form below:

To get the vote link, just right-click on a vote arrow and select "Copy Link Location", then paste it into the form above.

After you submit your vote link, you'll get a pretty picture like this:

My experience with the vote faking suggests that many people are willing to try something like this.

One way to fix this problem is to generate a different signature for each vote link. Stealing the link would then allow an attacker to make a specific vote on a specific story, but the attacker would not be able to act indiscriminately as another user.

Comments

I'm passing this on to the caps folks as an interesting failure. A per-story-per-user key (which we would call attenuation) is definitely appropriate.

(Also, if they had used a form button and POST for the vote buttons, as is appropriate per HTTP since this has a side-effect, then browsers wouldn't allow copying the vote operation as a link, which would prevent this particular attack even without per-story codes. But According To Our Ideology, there's nothing wrong with having an authorization-bearing link to a page having such a button, so one should do the per-story codes anyway.)

September 2014

S M T W T F S
 123456
78910111213
14151617181920
21222324252627
282930    
Powered by LiveJournal.com