I don’t remember when I created an invite link, but I’m sure I haven’t shared it with anyone. Today, this link was somehow discovered, resulting in 26 users joining, and I ended up paying 10*26=260 sats.
Perhaps I might have casually tried creating an invite link before, though I can’t recall when. However, I’m quite confident that I’ve never shared my invite link with others. I even tried Googling my invite link just now, and no results were returned.
I’m a bit concerned that there might be a bug or a security vulnerability here, which could have been exploited maliciously.
As a software engineer, I have some guesses. For instance:
- How is the invite link generation logic implemented? Is it purely random, or is it derived from the username (or other user-identifying fields) combined with some simple code to deterministically generate a default invite link for the user?
- Is the invite link protected against malicious enumeration?
Since Stacker News’s code is open-source, a malicious attacker might be able to read the code directly and figure out what they want.
cuid
to 16-byte random content.cuid
. Based on this code, I was able to decode the timestamp of my invite link (https://stacker.news/invites/clr4of5kk0001ofw3xdik7kbn) as 1704703451636, which corresponds toMon Jan 8 16:44:11 CST 2024
, roughly one year ago.c + timestamp(ms) + counter + fingerprint + random(8 bytes)
. It includes a timestamp and an 8-byte random number, so attacking it wouldn’t be trivial. Therefore, the security of previously generated invite links shouldn’t be a major concern.