Not cool. We deliberately don't put that much effort into security, because this is a community based on trust, not a bank. And by choosing to publish this rather than e.g. simply sending me an email about it, he's inviting people to do this.
It's worth having a link to <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery" rel="nofollow">http://en.wikipedia.org/wiki/Cross-site_request_forgery</a><p>Something to think about for your own applications
You wouldn't necessarily need someone to volunteer their username to make this work. This unfixed and ancient (2002!) browser vulnerability leaks information, via the styling of 'visited' links, about other URLs you've visited:<p><a href="http://seclists.org/bugtraq/2002/Feb/0271.html" rel="nofollow">http://seclists.org/bugtraq/2002/Feb/0271.html</a><p>In many cases, the only person who will have visited all of...<p><a href="http://news.ycombinator.com/threads?id=USERNAME" rel="nofollow">http://news.ycombinator.com/threads?id=USERNAME</a><p><a href="http://news.ycombinator.com/submitted?id=USERNAME" rel="nofollow">http://news.ycombinator.com/submitted?id=USERNAME</a><p><a href="http://news.ycombinator.com/saved?id=USERNAME" rel="nofollow">http://news.ycombinator.com/saved?id=USERNAME</a><p><a href="http://news.ycombinator.com/user?id=USERNAME" rel="nofollow">http://news.ycombinator.com/user?id=USERNAME</a><p>...is USERNAME. So another exploit -- still sneaky but not quite fraudulent, and not especially unique to HN -- would be to design an offsite page that does one or both of (1) greets HN users by name upon their visit; (2) logs which of some chosen set of HN users has visited the page.
I fell for the trickery(admittedly my mistake for trusting an unknown website) and submitted my user name, expecting to receive a graph like the page promised.<p>However, as pg already pointed out it was totally uncool not notifying him before making it public. I am in the support of full but responsible disclosure. So maybe he could have published it after informing pg and the issue was taken care of.
Some context:<p><a href="http://www.reddit.com/r/programming/comments/67gu9/take_the_arc_challenge/c032kur" rel="nofollow">http://www.reddit.com/r/programming/comments/67gu9/take_the_...</a>
Well done, you proved two things: 1) that you can write script that does an http get and 2) that you should not be trusted.<p>Was that a net gain for you?
What's really stupid about all this is that I give fellow users on this site a little bit of trust because I know that many times, they would like advice or help with their projects, or conversely, they have stumbled on something I can learn.<p>So I don't worry too much about giving my user name out, or entering it into other HN members' apps. I did it, and I'm not worried about it really. It's not like run4yourlives is my bank id or anything.<p>What bothers me about the whole thing though is that I've now had it confirmed that HN is too big to trust anymore. Whereas before, there was a sense of kinship with people here - none of whom I've ever met - I now have to worry that some of them are just losers looking to exploit my trust.<p>That's worse than off topic posts and low quality comments really. It's an attack on the fabric of the community, and the value of the users. It's clear now that I must treat HN as I would treat reddit or digg or any other room full of potential idiots; people who would much rather exploit trust than build it.<p>Sad but inevitable I suppose.
Am I wrong, or is this just saying HN is CSRF-able? There are commerce apps that are still CSRF-able. And this is a comparatively clumsy attack, since there's no trivial way to get your username blindly.