|
|
|
|
|
|
by nwh
4872 days ago
|
|
|
Ideally one would embed a webpage with a hidden image that loaded the upvote URL for a particular post of yours. Every logged in user would unknowingly upvote that post ID. Thankfully HN is built with form keys, so that particular CSRF attack won't work. Social engineering would be more difficult, I seem to remember that Chrome prevents javascript strings from being pasted into it's URL (you can still type them), in order to prevent attacks just like this. There was a number of attacks on Facebook that involved asking users to copy and paste a dodgy looking javascript string into a Facebook tab in order to "win" something. Of course it just spammed posts and stole session information, but it was still an interesting attack. |
|
|