<http://xach.livejournal.com/228481.html>:
> There was a problem with Hacker News that allowed vote faking by > constructing a special link. > > The vote links looked something like this: > > http://news.ycombinator.com/vote?for=814958&dir=up&by=jsteele&whence=news > > It was possible to fake votes by tricking the user to enter their > Hacker News username into a form. To fix the problem, a new auth > parameter was added to every vote link. Now the vote links look like > this: > > http://news.ycombinator.com/vote?for=814958&dir=up&by=jsteele&auth=YQ6UDAAP&whence=news > > The auth parameter is a per-user random token. If a user votes and > the auth token doesn't match the server's auth value for that user, > the vote is ignored. > > The token value, as it turns out, is also used as the value of the > user authentication cookie: > > (def vote-url (user i dir whence) > (+ "vote?" "for=" i!id > "&dir=" dir > (if user (+ "&by=" user "&auth=" (user->cookie* user))) > "&whence=" (urlencode whence))) > > If an attacker can get a logged-in Hacker News user to share a vote > link, the auth parameter can be used in a cookie to act as the > Hacker News user on the site. That means the attacker can vote, add > comments, submit stories, change personal info, etc. > > How to get a user to share that link? One way is to entice them with > pretty pictures. Here's one possible approach: [...] > > My experience with the vote faking suggests that many people are > willing to try something like this. > > One way to fix this problem is to generate a different signature for > each vote link. Stealing the link would then allow an attacker to > make a specific vote on a specific story, but the attacker would not > be able to act indiscriminately as another user. -- Kevin Reid <http://switchb.org/kpreid/> _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
