Zach Beane (xach) wrote,
Zach Beane
xach

Stealing logins at Hacker News

The canonical URL for Hacker News is news.ycombinator.com. However, the Arc-based webserver does not check the Host HTTP header, so anyone can set up a DNS address record that points to the server's IP, and you'll get the full, normal Hacker News experience. hackerne.ws is one memorable alternative domain name for Hacker News.

This behavior presents a way to steal logins.

  1. Set up a new domain, e.g. hkrn.ws
  2. Point hkrn.ws's A record at 174.132.225.106
  3. Link to items via that short domain, e.g. hkrn.ws/item?id=2353296. Perfect for twitter!
  4. Anyone who logs in to comment or vote will remain on your domain
  5. After a while, change the A record to your own webserver's IP address; display a "Temporarily unavailable" page, or redirect to news.ycombinator.com, or similar
  6. Collect all login cookies being sent to hkrn.ws
  7. Go to step 2

There are several ways to mitigate the problem. Here are a few that spring to mind.

  • Educate users not to log in unless it's the canonical URL (this is good practice in general, but the existence and use of hackerne.ws suggests people don't always follow it)
  • Refuse to respond to requests on anything but the canonical site name, or redirect all non-canonical requests to the canonical host name
  • Use HTTPS for the login
  • Use HTTPS for everything
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 4 comments