September 10th, 2009

Stealing identities on Hacker News

update The auth token on Hacker News now changes per link, so the description below is of historical interest only.


There was a problem with Hacker News that allowed vote faking by constructing a special link.

The vote links looked something like this:

It was possible to fake votes by tricking the user to enter their Hacker News username into a form. To fix the problem, a new auth parameter was added to every vote link. Now the vote links look like this:

The auth parameter is a per-user random token. If a user votes and the auth token doesn't match the server's auth value for that user, the vote is ignored.

The token value, as it turns out, is also used as the value of the user authentication cookie:

(def vote-url (user i dir whence)
  (+ "vote?" "for=" i!id
             "&dir=" dir
             (if user (+ "&by=" user "&auth=" (user->cookie* user)))
             "&whence=" (urlencode whence)))

If an attacker can get a logged-in Hacker News user to share a vote link, the auth parameter can be used in a cookie to act as the Hacker News user on the site. That means the attacker can vote, add comments, submit stories, change personal info, etc.

How to get a user to share that link? One way is to entice them with pretty pictures. Here's one possible approach:

Hacker News Story Trend Charts

The HNSTC project is for visualizing the popularity trend of any story at Hacker News. To start charting your favorite story, please copy and paste the vote link in the form below:

To get the vote link, just right-click on a vote arrow and select "Copy Link Location", then paste it into the form above.

After you submit your vote link, you'll get a pretty picture like this:

My experience with the vote faking suggests that many people are willing to try something like this.

One way to fix this problem is to generate a different signature for each vote link. Stealing the link would then allow an attacker to make a specific vote on a specific story, but the attacker would not be able to act indiscriminately as another user.