digg

Join DiggAbout

Discover and share the best of the web!
Learn more about Digg by taking the tour.

How I hacked Digg

phoboslab.org — An in depth article of how digg wouldn't respond to my bug reports, how I exploited a cross-site scripting vulnerability to force everyone to digg my story and a list of all open bugs I found.

Bury
show profanity settings
expand all
  • Emilia82, on 06/04/2008, -6/+2:-)
  • relevant, on 06/04/2008, -10/+5go throw the ball around with the old man, kid
    • phoboslab, on 06/04/2008, -3/+6I really tried to notify digg of these bugs. Please read the story, before you judge me :X
  • TheAttacks, on 06/04/2008, -0/+14I'm pretty sure someone will kill this story before it gets big enough to cause Digg any problems, but still good information.

    This is probably one of the biggest problems when you have a community this large, sifting through the actual threats being reported and the "oh noes, windowz shutz down when i hit dis button, it be ur falt!!!111!!" crap.
    • phoboslab, on 06/04/2008, -0/+3Well, all of the remaining XSS vulnerabilities I described, can be fixed in a matter of minutes. So _if_ they finally notice these bugs, security should not be a problem.
  • MikeonTV, on 06/04/2008, -8/+4I'll believe it when this hits the front page
  • jaydoj, on 06/04/2008, -3/+2I don't know much about script, or building websites. I only got as far as a C++ class in c.c., but this is pretty entertaining to say the least
  • Joffi222, on 06/04/2008, -0/+11Oh the irony of Digging this story...
  • johannesfreund, on 06/04/2008, -4/+3This is a great story. An it is digg's fault that it has to be spread this way.
  • joestump, on 06/04/2008, -0/+21Just wanted to let everyone know we closed the first XSS hole a few days ago and, in the future, feel free to contact me directly in the future with bugs / holes that you find.
    • phoboslab, on 06/04/2008, -1/+6Sorry for the stress I caused you and your colleagues with this! Please put this story back in list views, as soon as you've sorted these things out :)
  • YesImAChick, on 06/04/2008, -1/+8http://digg.com/jobs#qae
  • alishagg, on 06/04/2008, -6/+6I could care less if Digg didn't respond to you. They don't necessarily have to send you a reply. Send them the bug report and be happy you helped.

    De-friended for forcing a digg on something I wouldn't have dugg.

    Find another way to get noticed.
    • ddizzle, on 06/04/2008, -0/+2no kidding, why would he do this?
    • phoboslab, on 06/04/2008, -2/+4Again, sorry for the annoyance! I guess I went a bit over the top with my "proof of concept".
      • tylermenezes, on 06/05/2008, -0/+5Not at all, IMO. Digg doesn't listen to bug reports, I've experienced it myself. You followed responsible disclosure procedures - report the bug, give them a timely period to reply. If they don't listen, writing a proof of concept is about the only thing you can do. This story wouldn't make it anywhere near the front page on its own, only stories submitted by popular diggers like mrbabyman do that. What else could you do?
    • alishagg, on 06/04/2008, -0/+5I think a better way to have done this would have been to write about your findings and then submit the story to digg and wait for it to get noticed rather than involving other people and saying "oh look what I forced you to do".

      If enough people want the vulnerabilities fixed, they'll digg it.
    • tylermenezes, on 06/05/2008, -0/+3"They don't necessarily have to send you a reply."

      Generally, security researchers follow "responsible disclosure". The agreed-to policy is here: http://www.wiretrip.net/rfp/policy.html. Pretty much, you write to the company and tell them. Give them a reasonable amount of time to fix the problem. If they can't fix it in a few days, they should write to you to let you know they're working on it. If they don't, release it.

      Problems in Windows have existed for years that Micro$oft's known about, and have been fixed days after they're released. If that's the way to fix the bug before someone more malicious finds it, so be it.

      "Find another way to get noticed."

      Pretty sure he wasn't submitting the proof of concept story to be noticed. Sure, he submitted THIS story to be noticed, and I'm fine with that -- it was a good read.

      All that said, I think Digg needs a better bug tracking system. Have emails from there automatically added to a bug tracker, such as Bugzilla! I just noticed a bug in the comment preview for this comment and submitted it (the CSS is styled wrong, long comments are colored the shade of yellow at the end. I doubt it'll get fixed any time soon.
  • romistrub, on 06/04/2008, -0/+7Enh, Alisha is just a whiny lame-ass. I think you did an excellent job of a) discovering the bug, b) fleshing out the extent of the bug, and c) getting Digg to notice the bug.

    Dugg hard for competence.
  • JK1150, on 06/05/2008, -4/+1you have far too much free time...
  • shondell, on 06/05/2008, -2/+1Digg's support team sucks, they should fix that.
  • ankeshk, on 06/05/2008, -0/+0Read the comments for the linked post. They're hilarious!
  • dtele, on 06/05/2008, -0/+1oh wow - I saw this on Reddit - I doubt it will go FP here, but dugg anyway :)
  • maxino, on 06/06/2008, -0/+2Your honor is to publish and share it. DUGG
  • Surferess, on 06/06/2008, -0/+1I enjoyed your ingenuity here. Was that comment really from Tim Berners-Lee?
  • randomguy132, on 06/07/2008, -0/+0Good show, good show.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.