XSS is a pain - people can inject code into a URL link to do all manner of painful things to you.

But XSS is not just a worry for the site the exploit targets - it is a worry for anyone who lets publicly posted links appear on their site. Indeed to WORST possible place for it is one you would have imagined to be immune to such issue: Hacker News.

Ill be honest: it's not exactly the most obvious and urgent problems. But it's exploitable: and the prime tagrget for this would be spammers! And to cap it all it's a usability problem.

The Issue

On HN the domain name of posted links is shown next to the link title - this is a super handy feature thta lets users read down and filter out sites they automatically dont want to read; it saves you the time of mousing over each link. BUT what it leads to is laziness - if you trust the URL (or have no reason to suspect it) then you will probably click the link to have a look without peeking at the whole URL.

Ok fair enough you say - but look at this link.

http://www2.telesign.com/login.php?loginerror=yes&user=\"<script>document.location='http://www.google.co.uk/search?q=spam+links%3F'</script>

Now click it (it's not malicious). See? On HN that would show up as leading to telesign - when in acutallity it fairly quickly bumps you to Google (fast enough not to see the telesign site). On HN that's a pain because it means you now have to be at least a little cagey over which links to click - you have to be aware. On other sites that dont put the domain next to the link it is NO LESS dangerous. People are lazy anyway.

On news sites this might be caught fairly rapidly - but then it might not be. And on busy news sites it could get several clicks (HN usually gets me 50+ in the first 30 minutes of a link).

Applications

Well I'd have imagined that would be obvious.

1) Spammers, if they can find a legit looking domain that they can hijack and think up a relevant title their spams might stay on the sites just a little bit longer

2) Phishers are an even more worriyng concern. If a known or a new upcoming site can be exploited several accounbt details could be nicked before it is caught.

Solution

This isnt the fault of HN or any other links site really. It's the fault of the site that allows the attack (dolts :)). But we should definitely be vigilant - always check the URL bar before entering details!!