Today I discovered an interesting vulnerability in the Ycombinator’s Hacker News website.

For those of you who don’t know what’s all about this website, below I added a short description of it:

Hacker News is a social news website focusing on computer science and entrepreneurship. It is run by Paul Graham’s investment fund and startup incubator, Y Combinator. In general, content that can be submitted is defined as “anything that gratifies one’s intellectual curiosity”.

So, if you know Digg and Reddit, you know how the Hacker News works. It’s a community driven website. One with useful information and 0 ads. Now let’s talk about the hack that I discovered.

In the images below you will see exactly what I saw at the first:

hacker-news-hacked-1

hacker-news-hacked-2

hacker-news-hacked-3

hacker-news-hacked-4

So I was thinking, wow, Hacker News was hacked. Nice :) , but after three more seconds I saw the “Security” page in the footer and I decided to do a good thing. I reported the incident to the Hacker News security team. But while I was writing the email, I thought that I am reporting a vulnerability and I don’t know if the problem is real, I was thinking that maibe it’s a Firefox Bug. I opened Chrome and those characters were still there. So yes, this was a real vulnerability that I discovered, and no, it wasn’t Mozilla (sorry for blaming you from the first).

I am a programmer and I have Firebug installed on my web browser. For those of you that don’t know what Firebug is, please follow this link: http://getfirebug.com/

I opened Firebug and I removed the entire body content. Interesting fact was that the characters disappeared. So the vulnerability was coming from one of the articles. I removed articles html blocks one by one until I found the article that profited from Hacker News’s vulnerability. This was the article:

hacker-news-hacked-5

It was a simple HN internal question. At least, that’s what I was thinking. Once I entered it, I found this:

hacker-news-hacked-6

You can see that some users posted comments regarding the strange characters that appeared, but they haven’t thought about the vulnerability.

I have sent an email to the Hacker News Security team an hour ago, but the article wasn’t removed.

hacker-news-hacked-7

Maybe I’m not such an influencer, that’s why I haven’t received an email response, so I decied to post the article url here, so you can see the vulnerability by yourself. The article url is: https://news.ycombinator.com/item?id=11391980

Also, the characters that the attacker used are:

 

 

 

 

 

 

 

 

 

ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็ส้้้้้้้้้้้้้้้้้้้้ด้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็

I’m waiting for your opinions. This is an interesting topic. Why I’m posting the characters too? Because everybody should see them and be able to protect against them, I’m sure that not only the Hacker News website is vulnerable to this characters. Have anyone thought about Reddit? or even other top 10 websites..

I’m sure that lots of websites are vulnerable to this characters. They will break your website design for sure. I wrote the article and posted the characters, they also messed up the design on my blog. Please inspect the code above the characters and you’ll see how I fixed the design. But what will happen when the characters are used in the title? You know the answer, look at the Hacker News website how it looks.

Notice – I wrote this article to explain a vulnerability, so developers could make software tests based on it and prevent this to happen. This is not a hacking lesson, this is just an informative article.