HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Hijacking reactions

2»

Comments

  • thanks for the info, amazing it is the desire for people to cheat ,that is the bottom line imo and a moderator's nightmare i'm sure , the problem is the use of this:

    a class="Hijack ReactButton ReactButton-Like"

    maybe a word filter set to not allow this combination .

  • x00x00 MVP
    edited March 2013

    you cannot control what is on the client side, you have to do something on the server side.

    Word filter is all very well, but uniquess is much better. Simply make it impossible to replicate becuase they don't have the nonce and it is constantly changing for that session.

    grep is your friend.

  • Also another big issue from the forum I'm on is flag spamming activity. There are lots of activity posts all the time and since reactions are anonymous on activity there are some people that take advantage and spam abuses. It's a big problem that needs to be fixed.

  • @System_Error said:
    There are lots of activity posts all the time and since reactions are anonymous on activity there are some people that take advantage and spam abuses. It's a big problem that needs to be fixed.

    ARe you volunteering to make a plugin?

    There was an error rendering this rich post.

  • Something like this would be good to alert people at least that they clicked on a fake link.

    
        $(document).ready(function() { 
     
                        $('a.Hijack.ReactButton').click(function() { 
                alert('fake link clicked, click again to undo'); 
                return false; 
            }); 
     
       
  • peregrineperegrine MVP
    edited March 2013

    V,

    Hijack is a class used in real reactions, what you did will just display an alert for valid reactions as well.

    you are also missing the final "}); " in your code missing.

    maybe the best way to deal "hijack and this thread is to close the discussion - and implement x00's nonce suggestion.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • someone seems to have hijacked the "1000 awesomes badge". I can't see it.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • edited March 2013

    @UnderDog said:
    ARe you volunteering to make a plugin?

    Can't the one that is used for comments just be modified for activity?

  • @System_Error said:
    Can't the one that is used for comments just be modified for activity?

    Find out & let us know pls.

    There was an error rendering this rich post.

  • @peregrine said:
    V,

    Hijack is a class used in real reactions, what you did will just display an alert for valid reactions as well.

    Yea I was wondering about that, well then maybe erasing the old ones so they can't be used anymore......

    you are also missing the final "}); " in your code missing.

    yea was not intended to be used just to demo a possibility.

    maybe the best way to deal "hijack and this thread is to close the discussion - and implement x00's nonce suggestion.

    agreed

Sign In or Register to comment.