forked from clintonwoo/hackernews-react-graphql
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity.tsx
207 lines (204 loc) · 5.54 KB
/
security.tsx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
import Link from 'next/link';
import * as React from 'react';
import { Notice } from '../layouts/notice';
export const SecurityPage = () => (
<Notice>
<b>Hacker News Security</b>
<p>
If you find a security hole, please let us know at{' '}
<a href="mailto:[email protected]">[email protected]</a>. We try to respond (with fixes!) as soon as
possible, and really appreciate the help.
</p>
<p>Thanks to the following people who have discovered and responsibly disclosed security holes in Hacker News:</p>
<p>
<b>
20170430: <a href="http://www.michaelflaxman.com">Michael Flaxman</a>
</b>
</p>
<ul>
<li>The minor version of bcrypt used for passwords was susceptible to a collision in some cases.</li>
</ul>
<p />
<p>
<b>20170414: Blake Rand</b>
</p>
<ul>
<li>Links in comments were vulnerable to an IDN homograph attack.</li>
</ul>
<p />
<p>
<b>20170315: Blake Rand</b>
</p>
<ul>
<li>The right-to-left override character could be used to obscure link text in comments.</li>
</ul>
<p />
<p>
<b>
20170301: <a href="https://twitter.com/_iamjk">Jaikishan Tulswani</a>
</b>
</p>
<ul>
<li>Logged-in users could bypass 'old password' form field.</li>
</ul>
<p />
<p>
<b>
20160217: <a href="http://www.tjosse.me">Eric Tjossem</a>
</b>
</p>
<ul>
<li>Logout and login were vulnerable to CSRF.</li>
</ul>
<p />
<p>
<b>
20160113: <a href="https://twitter.com/merttasci_">Mert Taşçi</a>
</b>
</p>
<ul>
<li>The 'forgot password' link was vulnerable to reflected XSS.</li>
</ul>
<p />
<p>
<b>
20150907: <a href="http://www.s4ndeep.com">Sandeep Singh</a>
</b>
</p>
<ul>
<li>
An open redirect was possible by passing a URL with a mixed-case protocol as the <em>goto</em> parameter.
</li>
</ul>
<p />
<p>
<b>
20150904: <a href="http://twitter.com/umenmactech">Manish Bhattacharya</a>
</b>
</p>
<ul>
<li>
The site name display for stories was vulnerable to an{' '}
<a href="https://en.wikipedia.org/wiki/IDN_homograph_attack">IDN homograph attack.</a>
</li>
</ul>
<p />
<p>
<b>
20150827: <a href="http://twitter.com/chrismarlow9">Chris Marlow</a>
</b>
</p>
<ul>
<li>Revisions to HN's markup caused an HTML injection regression.</li>
</ul>
<p />
<p>
<b>
20150624: <a href="http://stephensclafani.com">Stephen Sclafani</a>
</b>
</p>
<ul>
<li>
A form handling bug led to a XSS vulnerability using{' '}
<a href="http://www.slideshare.net/Wisec/http-parameter-pollution-a-new-category-of-web-attacks">
HTTP parameter polution
</a>
.
</li>
</ul>
<p />
<p>
<b>20150302: Max Bond</b>
</p>
<ul>
<li>
Information leaked during /r processing allowed an attacker to discover valid profile edit links and the user
for which they were valid.
</li>
<li>
<em>goto</em> parameters functioned as open redirects.
</li>
</ul>
<p />
<p>
<b>20141101: Ovidiu Toader</b>
</p>
<ul>
<li>
In rare cases some users' profiles (including email addresses and password hashes) were mistakenly published
to the Firebase API.
</li>
</ul>
<p>
See <a href="https://news.ycombinator.com/item?id=8604586">https://news.ycombinator.com/item?id=8604586</a> for
details.
</p>
<p />
<p>
<b>20141027: San Tran</b>
</p>
<ul>
<li>
Some pages displaying forms were vulnerable to reflected XSS when provided malformed query string arguments.
</li>
</ul>
<p />
<p>
<b>
20140501: <a href="https://titanous.com">Jonathan Rudenberg</a>
</b>
</p>
<ul>
<li>Some YC internal pages were vulnerable to persistent XSS.</li>
</ul>
<p />
<p>
<b>
20120801: <a href="http://louislang.com/">Louis Lang</a>
</b>
</p>
<ul>
<li>
Redirects were vulnerable to HTTP response splitting via the <em>whence</em> argument.
</li>
<li>
Persistent XSS could be achieved via the <em>X-Forwarded-For</em> header.
</li>
</ul>
<p />
<p>
<b>
20120720: <a href="http://www.tinfoilsecurity.com">Michael Borohovski</a>
</b>
</p>
<ul>
<li>Incorrect handling of unauthenticated requests meant anyone could change rsvp status for Demo Day.</li>
</ul>
<p />
<p>
<b>
20090603: <a href="https://www.dfranke.us/">Daniel Fox Franke</a>
</b>
</p>
<ul>
<li>
The state of the PRNG used to generate cookies could be determined from observed outputs. This allowed an
attacker to fairly easily determine valid user cookies and compromise accounts.
</li>
</ul>
<p>
See{' '}
<Link prefetch href="/item?id=639976">
<a>https://news.ycombinator.com/item?id=639976</a>
</Link>{' '}
for details.
</p>
<p />
<p>
<b>Missing From This List?</b> If you reported a vulnerability to us and don't see your name, please shoot us
an email and we'll happily add you. We crawled through tons of emails trying to find all reports but
inevitably missed some.
</p>
</Notice>
);
export default SecurityPage;