March 16th, 2009

Faking votes on Hacker News

Hacker News is a site where users vote on links. When someone clicks on an up or down vote, their browser sends a GET request that looks like this:

  GET /vote?by=joesmith&dir=up&for=8765309

A user can only vote if the by parameter matches their Hacker News login cookie. So for a third party to fake votes, they would need to get a visitor's login name.

That turns out to be very easy to do. I made a form that looks like this:

Clicking "Generate" goes to a page that embeds an image with a HREF of the upvote link, creating a fake vote. People didn't hesitate to submit their info in the hopes of getting a nifty graphic.

After submitting it to Hacker News, and making it upvote itself when triggered, the link got over 50 (fake) upvotes in the 10 minutes before it was killed. People were confused.

Until this is fixed, I don't recommend giving out your Hacker News username.

update Here's the Hacker News discussion of this issue. "We deliberately don't put that much effort into security, because this is a community based on trust, not a bank."

update Some people have asked how this could be prevented. One technique is to compute the cryptographic hash of the parameters concatenated with some secret value:

  • secret is "fribble dibble"
  • hash is sha1("fribble dibble?by=joesmith&dir=up&for=8675309") update: don't use this; use hmac
  • link is "/vote?by=joesmith&dir=up&for=8675309&hash=f3a8c2241"
  • when processing requests to /vote, recompute the hash independently from the request parameters and compare to what was submitted; if it matches, accept the action.

It would be difficult for a third party to compute the hash and make it part of an unwitting request.

Using POST alone wouldn't help. It's pretty trivial to put a form in the HTML and submit it with JavaScript.