[enormousness]

This approach is also ripe for an XSS exploit.

[jokethrowaway]

Do you mean CSRF? I don't see upvote links for some reason so I can't debug - but does auth contains a CSRF token?

If not you could craft a page which upvote posts for the current visitor (if they're logged in HN)

You could mitigate it with server side checks (or maybe some new browser tech I don't know about?) but I think the synchroniser token pattern is still the current solution.

[ash]

> does auth contains a CSRF token?

Yes, it looks like it does. Also, the vote auth param is different for every link.

[extraduder_ire]

I think there's server-side checking to avoid that. Let us know if you have a PoC though.