[tahoe-dev] Almost-caps-in-URLs design failure by lack of attentuation
Kevin Reid
kpreid at mac.com
Thu Sep 10 18:37:39 PDT 2009
<http://xach.livejournal.com/228481.html>:
> There was a problem with Hacker News that allowed vote faking by
> constructing a special link.
>
> The vote links looked something like this:
>
> http://news.ycombinator.com/vote?for=814958&dir=up&by=jsteele&whence=news
>
> It was possible to fake votes by tricking the user to enter their
> Hacker News username into a form. To fix the problem, a new auth
> parameter was added to every vote link. Now the vote links look like
> this:
>
> http://news.ycombinator.com/vote?for=814958&dir=up&by=jsteele&auth=YQ6UDAAP&whence=news
>
> The auth parameter is a per-user random token. If a user votes and
> the auth token doesn't match the server's auth value for that user,
> the vote is ignored.
>
> The token value, as it turns out, is also used as the value of the
> user authentication cookie:
>
> (def vote-url (user i dir whence)
> (+ "vote?" "for=" i!id
> "&dir=" dir
> (if user (+ "&by=" user "&auth=" (user->cookie* user)))
> "&whence=" (urlencode whence)))
>
> If an attacker can get a logged-in Hacker News user to share a vote
> link, the auth parameter can be used in a cookie to act as the
> Hacker News user on the site. That means the attacker can vote, add
> comments, submit stories, change personal info, etc.
>
> How to get a user to share that link? One way is to entice them with
> pretty pictures. Here's one possible approach: [...]
>
> My experience with the vote faking suggests that many people are
> willing to try something like this.
>
> One way to fix this problem is to generate a different signature for
> each vote link. Stealing the link would then allow an attacker to
> make a specific vote on a specific story, but the attacker would not
> be able to act indiscriminately as another user.
--
Kevin Reid <http://switchb.org/kpreid/>
More information about the tahoe-dev
mailing list