I can't guarantee its safety, but I glanced at his JS, and it seems harmless.
(later edit: I probably should have posted this during the day to give someone a chance to fix it so no one new actually exploits this... should I delete it?)
Hehe. I've seen this before. When a News.YC user dataset was released I downloaded it and noticed that this user's file was the largest, so I checked it out.
Now out of curiosity, how did you find this user? He hasn't been very active it seems since he signed up over a year ago. (I see only one comment for this user).
I apologize. I didn't mean to assume anything. I used the fact that this user has made 1 comment over a year ago and had only 2 karma from that one comment to base my statement. It's also why I said it "seemed" that he hasn't been active. That's why I was wondering how this user was found.
"... I apologize. I didn't mean to assume anything. I used the fact that this user has made 1 comment over a year ago and had only 2 karma from that one ..."
Don't appologise - there is nothing wrong with your comment. I was just pointing there is an existing user that made it. I didn't want to name them w/o being sure.
haha wait, the javascript injection is "broken" in IE? so does the injection just not work or does it work but the effect looks crappy? because if the injection doesn't work i sure wouldn't call that broken.
39 comments
[ 2.4 ms ] story [ 84.8 ms ] thread(later edit: I probably should have posted this during the day to give someone a chance to fix it so no one new actually exploits this... should I delete it?)
Click on the logo & letters on the bottom and you can throw them around.
Did you notice the letter 'r' leaves a trail when you throw it R-L ? A blue trail and the intensity of the line differs too.
That's a pretty-printed and syntax highlighted view of the JavaScript in question.
Edit: slightly cleaned up the formatting.
Also! Line 75 confuses me (and jsLint) a bit. What's that up to?
That gets the jsLint errors down to complaints about assignments in loop conditions. So no biggie.
"GREETZ FROM Z0MBEE"
Now out of curiosity, how did you find this user? He hasn't been very active it seems since he signed up over a year ago. (I see only one comment for this user).
The term 'arglebargle' is used by a current HN member. So don't make this assumption.
Don't appologise - there is nothing wrong with your comment. I was just pointing there is an existing user that made it. I didn't want to name them w/o being sure.
http://news.ycombinator.com/item?id=213891
This kind of vulnerability makes it trivial to hijack someone's session. Of course you probably don't have any sensitive data on news.yc, but still...
Works in all versions of FireFox/Safari I've tried, but unsurprising is broken in IE.
Anyway, the injected script is indeed executed in IE, it just seem to fail because of an IE-specific bug.
...and swat punters... or pun swatters... and "we rust pants"
neck washer, warn cheeks, swan hecker or knee rash wc?
It's a nice personalization.
Sure -- check for it on comments, but on the user's page? Kind of neat.
* Submit stuff or comments under your account
* Modify your profile
* reset your password and take over the account
So probably best fixed if it's not already ;)
http://nexodyne.com/showthread.php?t=14736
If you guys really need to disable JS-injection for security purposes, at least leave "arglebargle's" in place.