Stealing identities on Hacker News
update The auth token on Hacker News now changes per link, so the description below is of historical interest only.
The vote links looked something like this:
It was possible to fake votes by tricking the user to enter their Hacker News username into a form. To fix the problem, a new auth parameter was added to every vote link. Now the vote links look like this:
The auth parameter is a per-user random token. If a user votes and the auth token doesn't match the server's auth value for that user, the vote is ignored.
The token value, as it turns out, is also used as the value of the user authentication cookie:
(def vote-url (user i dir whence) (+ "vote?" "for=" i!id "&dir=" dir (if user (+ "&by=" user "&auth=" (user->cookie* user))) "&whence=" (urlencode whence)))
If an attacker can get a logged-in Hacker News user to share a vote link, the auth parameter can be used in a cookie to act as the Hacker News user on the site. That means the attacker can vote, add comments, submit stories, change personal info, etc.
How to get a user to share that link? One way is to entice them with pretty pictures. Here's one possible approach:
My experience with the vote faking suggests that many people are willing to try something like this.
One way to fix this problem is to generate a different signature for each vote link. Stealing the link would then allow an attacker to make a specific vote on a specific story, but the attacker would not be able to act indiscriminately as another user.