| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by dag 6301 days ago
	Taking it public is a fix. Now that this information is public none of us will give out our usernames to external websites, thus ending the problem. In effect Xach's could decide between emailing someone hoping they fix the problem, or just fixing it. I found this whole event funny. I'm also amused that people reacted as negatively to this prank as middle managers at my old $MEGACORP job would.

2 comments

critic 6301 days ago

    Now that this information is public none of us 
    will give out our usernames to external websites, 
    thus ending the problem.

Correct me if I'm wrong, as I'm NOT a web guru, but I think there are three ways to get the user names, and it's enough if this only works in some cases:

(1) Brute force (look at who's currently active on the site)

(2) Look at browser history (HN users have to constantly look at their own profile to check for replies, and the URL contains their user name)

(3) Send whatever request the browser sends to HN normally, and gets the user name embedded in the page.

Again, I don't know enough about browsers/JS/HTTP/HN to know if any of the above would work. I'm just saying I'm not sure that explicitly giving out your user name is required for this.

Edit: typos

silencio 6301 days ago

> none of us will give out our usernames to external websites

Maybe so, but in the case of Twitter, not many people seemed to learn their lessons - and there people were giving away their usernames and passwords.

> decide between emailing someone hoping they fix the problem, or just fixing it

But you do not know if a vendor will fix the problem as soon as you report it to them, even if they already have a past history of not caring. the balance here is responsible disclosure: maybe it's a big enough issue or maybe the right person noticed that your problem will get fixed when you first let them know..in the event you feel you are ignored though, go public. best of both worlds.

> I found this whole event funny.

I don't think it's funny or angering. It's probably educational, as more people learn what CSRF is and it's probably a little annoying in that not as many people are discussing responsible disclosure, but there's not much to get angry about. Votes? big deal....