Zach Beane (xach) wrote,
Zach Beane

Stealing logins at Hacker News

The canonical URL for Hacker News is However, the Arc-based webserver does not check the Host HTTP header, so anyone can set up a DNS address record that points to the server's IP, and you'll get the full, normal Hacker News experience. is one memorable alternative domain name for Hacker News.

This behavior presents a way to steal logins.

  1. Set up a new domain, e.g.
  2. Point's A record at
  3. Link to items via that short domain, e.g. Perfect for twitter!
  4. Anyone who logs in to comment or vote will remain on your domain
  5. After a while, change the A record to your own webserver's IP address; display a "Temporarily unavailable" page, or redirect to, or similar
  6. Collect all login cookies being sent to
  7. Go to step 2

There are several ways to mitigate the problem. Here are a few that spring to mind.

  • Educate users not to log in unless it's the canonical URL (this is good practice in general, but the existence and use of suggests people don't always follow it)
  • Refuse to respond to requests on anything but the canonical site name, or redirect all non-canonical requests to the canonical host name
  • Use HTTPS for the login
  • Use HTTPS for everything
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded