Hacker News new | ask | show | jobs
by famousactress 5567 days ago
Everyone's right that it was an ill-advised thing to do, but stepping back ignoring the law (I know..) and just asking yourself the gut question:

What's worse? injecting a relatively harmless script into the product (that frankly caused them to fix an issue that could have been very painful for them if someone more devious had found it first), or Qato's ripoff of Quora in the first place?
2 comments
bigiain 5567 days ago
For what it's worth, my takeaway on this is not that Qato "ripped off Quora", to me its quite clear they're building an engine for Q&A websites, and they've used Quroa (and Stackoverflow) as examples of what you can build with it. Not so much "ripping off" - I see it more like the sort of Photoshop demo where a guy on stage recreates some well known image to show off Photoshop as a tool.

The problem is, their tool has at least one xss vulnerability. I've been there myself, and usually a single xss vulnerability is an indication that the underlying design of the system didn't take xss (and probably web security in general) seriously enough. It's _possible_ this was just a single place where user supplied data sanitisation wasn't done correctly, but I'd bet good money that it's indicative of a development mindset that failed to be paranoid enough. I'll bet there's a bunch of places they're going to find exactly the same error, and won't be at all surprised to find SQL injection vulnerabilities, http header vulnerabilities, and any of a whole bunch of other "common web programming" errors. I'll be amazed if right now there aren't a bunch of people running fuzzers against any site suspected of having the Qato "engine" underneath it. I'll not be at all surprised to hear several of them get compromised before the weekend and start running dick-pill-seo spam...

link
famousactress 5567 days ago
All really fair points. For me, they still seem to fall into the 'Harbor Freight Tools of the Internet' category.

[Edit: I already feel kind of bad about this comment. I love me some 3$ multi-meters. Still. Analogy stands.]

link
nbpoole 5567 days ago
Putting the legal issues aside? It doesn't matter either way: security vulnerabilities trump copycats (in my opinion).

Publicly releasing details of an XSS vulnerability on a third party's site has much bigger ramifications than a copycat site. Plenty of websites deal with copycats all the time: they're frustrating, but they're not necessarily overly threatening. On the other hand, a 0 day could compromise the security of user information. In certain fields, that could completely destroy your business.

link
famousactress 5567 days ago
Mixed agreement.

...that could completely destroy your business

Yep.

link