Here's What Happens When You Hit the Front Page on Hacker News

On September 4, 2016 at about 7:00 PM Pacific time, I decided to share my latest side project, Postacard (now called Postcard Bot), with the Hacker News community. What followed was complete, unexpected madness...

Before we start. For reference, here are the links:

HN Thread

Postacard

Here we go...within just a few minutes, my post had scampered to the front page, where it then continued to climb for the next 12 hours, and stay for the next 24.

I stayed stagnant at #2 for most of the time, hitting #1 only for a few minutes.

Front Page

The traffic to my project was unreal...considering it had literally been live for 20 mins before posting.

Google Analytics

The traffic wasn't even the best part, though...

Emails: congratulations, feature requests, suggestions, job offers, press interview requests, you name it. These all began flooding into my email account over the hours after the post went live. This, alone, goes to show the incredible value of the Hacker News community - I was given my own tap into the brilliant minds that make up this community.

I had bugs and concerns pointed out to me that I hadn't even thought of yet, people making suggestions into how to improve the product, feature requests from actual people who were now using my product...it was incredible.

Here's the upvote and comment count as of this posting.

218 upvotes. 85 comments. It's not much, but the comments were incredibly constructive and helpful.

Submission

What I Learned: Users are More Valuable Than Anything

I also received hundreds of users in my product, and they keep coming in daily. They also continue to email me asking for "this and that," and I'm able to either put their requests on the todo list, or let them know that feature is already on the way.

I know it's not a lot, but it's one of the coolest feelings ever having a side project that people actually use and that you built by yourself in a few days.

Thank You to the Community

All in all, I just want to thank the Hacker News community. The product itself is so much better in just a short period of time because of the type of people who used it and provided feedback - people like me. And now I can say I was one of those people whose side project made it to the front page of HN (for almost 24 hours), which is pretty damn cool.

Target='_blank'

The target="_blank" attribute in HTML, used from Facebook to Google, is susceptible to a massive phishing vulnerability.

The Vulnerability

When using this attribute, developers or hackers can gain access to the new page in the window.opener object. This allows malicious users to execute Javascript code, change the window.opener.location, etc. This also works with window.open().

Example

Say I have a link on my Facebook page pointing back to my website.

<a href="#" target='_blank'>traviswingo.com</a>

All I'd need to do at this point is execute a bit of Javascript code and phish away.

if (window.opener) {
  window.opener.location = "http://some_malicious_site.com";
}

This essentially gives me control over aspects of the referring page, in this case, the referring page was none other than Facebook.

The Fix

rel='noopener' for Chrome, Safari, Opera, IE.

rel='noopener noreferrer' for Firefox.

Other Issues

This actually can lead to more than just phishing attacks, not to say that changing the url of your banking site without you knowing in order to gain access to your login credentials isn't bad!

Since I now have access to the window.opener object, I have partial access to what was on the referring page - allowing me to gather more information about the user who clicked through to the link, and perhaps steal some valuable information from you if I'm good enough!

So far, this issue has been spotted on Facebook, Twitter, Instagram, and Google. All of which are heavy targets for phishing and privacy concerns.

A Pale Blue Dot

Pale Blue Dot

"Look again at that dot. That's here. That's home. That's us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every "superstar," every "supreme leader," every saint and sinner in the history of our species lived there--on a mote of dust suspended in a sunbeam.

The Earth is a very small stage in a vast cosmic arena. Think of the rivers of blood spilled by all those generals and emperors so that, in glory and triumph, they could become the momentary masters of a fraction of a dot. Think of the endless cruelties visited by the inhabitants of one corner of this pixel on the scarcely distinguishable inhabitants of some other corner, how frequent their misunderstandings, how eager they are to kill one another, how fervent their hatreds.

Our posturings, our imagined self-importance, the delusion that we have some privileged position in the Universe, are challenged by this point of pale light. Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity, in all this vastness, there is no hint that help will come from elsewhere to save us from ourselves.

The Earth is the only world known so far to harbor life. There is nowhere else, at least in the near future, to which our species could migrate. Visit, yes. Settle, not yet. Like it or not, for the moment the Earth is where we make our stand.

It has been said that astronomy is a humbling and character-building experience. There is perhaps no better demonstration of the folly of human conceits than this distant image of our tiny world. To me, it underscores our responsibility to deal more kindly with one another, and to preserve and cherish the pale blue dot, the only home we've ever known."

-- Carl Sagan, Pale Blue Dot, 1994