Hacker News new | past | comments | ask | show | jobs | submit login

I think you meant "registered" instead of "registering". I clicked it after I already had registered, and it showed me notification about being part of hacker news group.

> You are now a member of Hacker News Reader. Other Hacker News Reader members will see a special badge near your profile picture so they'll know that you're as special as they are.

Yep. I am special and unique, just like everyone else:)




> I clicked it after I already had registered, and it showed

> me notification about being part of hacker news group.

So adding someone to an affiliation is as simple as getting them to ping a URL with a GET request? That doesn't seem especially secure.


Not secure at all. It's vulnerable to CSRF.

Embedding an iframe with the url in a html page will cause all visitors to the page to get the affiliation.

Proof of concept: http://s.dpth.tk/files/jigcsrf.html

Simply visiting the above page while logged in is sufficient to get the affiliation.


> Embedding an iframe with the url in a html page will cause all visitors to the page to get the affiliation.

Won't a simple <img src=...> work? Why go the iframe route?

I don't think this is going to be the final affiliation implementation they are going to use. It's more like adding special touches for a community where he is showcasing, and they will turn it off in a day or two.


we'll fix this later. we have big plans for affiliations, but for now they are mostly just about the little badges :)


Yes, that would work. Including it as a script or css stylesheet would work also.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: