pull down to refresh

How is the invite link on Stacker News generated?
1116 sats \ 8 comments \ @sasasuina 3 Jan security
I don’t remember when I created an invite link, but I’m sure I haven’t shared it with anyone. Today, this link was somehow discovered, resulting in 26 users joining, and I ended up paying 10*26=260 sats.
Perhaps I might have casually tried creating an invite link before, though I can’t recall when. However, I’m quite confident that I’ve never shared my invite link with others. I even tried Googling my invite link just now, and no results were returned.
I’m a bit concerned that there might be a bug or a security vulnerability here, which could have been exploited maliciously.
As a software engineer, I have some guesses. For instance:
  • How is the invite link generation logic implemented? Is it purely random, or is it derived from the username (or other user-identifying fields) combined with some simple code to deterministically generate a default invite link for the user?
  • Is the invite link protected against malicious enumeration?
Since Stacker News’s code is open-source, a malicious attacker might be able to read the code directly and figure out what they want.
These are just my concerns and guesses, not facts. I’d sincerely appreciate it if someone could help clarify my doubts. Thank you! @k00b @ek
write
preview
related posts
42 sats \ 3 replies \ @k00b 3 Jan
We use a UUID-like id for these. It's random and not in the naive way you described, but ultimately, it can be brute forced.
It's possible that someone brute forced it, but it's also possible you used it somewhere and forgot about it and someone discovered it and drained it.
These old UUID implementations are somewhat brute forceable. We'll ship an update soon that does something less brute forceable, but we can't prevent you from sharing them in ways that cause someone to drain them.
reply
3374 sats \ 2 replies \ @sasasuina OP 4 Jan
Thank you for your reply. I have now confirmed that the issue was on my end and unrelated to Stacker News. My previous statement, 「I’m certain I never publicly shared this invite link,」was incorrect. I’ve discovered that I sent this link to Nostr about a year ago.
After waking up this morning, I reviewed Stacker News' code and noticed that after my post, @ek submitted PR#1789, which changes the invite link generation method from using cuid to 16-byte random content.
From this PR, I learned about the previous logic for generating invite links and reviewed the implementation of cuid. Based on this code, I was able to decode the timestamp of my invite link (https://stacker.news/invites/clr4of5kk0001ofw3xdik7kbn) as 1704703451636, which corresponds to Mon Jan 8 16:44:11 CST 2024, roughly one year ago.
Following this lead, I searched through my posts on various social networks and discovered that I had indeed shared the invite link on Nostr a year ago.
Additionally, I’d like to clarify that the invite link format generated by cuid is c + timestamp(ms) + counter + fingerprint + random(8 bytes). It includes a timestamp and an 8-byte random number, so attacking it wouldn’t be trivial. Therefore, the security of previously generated invite links shouldn’t be a major concern.
I apologize for the confusion and inconvenience caused. Sorry!
reply
0 sats \ 1 reply \ @ek 4 Jan
No need to be sorry, you raised a valid concern.
Also appreciate you reporting back and analysing the cuid, not everyone would do that.
reply
0 sats \ 0 replies \ @sasasuina OP 4 Jan
Thanks again!
reply
21 sats \ 1 reply \ @DarthCoin 3 Jan
Use the personalized invite links from now on. You generate unique invitation only for specific cases.
reply
0 sats \ 0 replies \ @sasasuina OP 4 Jan
Thanks! Now I learned my lesson. 😂
reply
21 sats \ 1 reply \ @0xbitcoiner 3 Jan
Check if you have a valid invitation here
https://stacker.news/invites
reply
0 sats \ 0 replies \ @sasasuina OP 3 Jan
https://stacker.news/invites Thanks. I've already checked this page before posting here. I do have invite link, though not sure when it was created. But I'm confident that I’ve never shared my invite link with others.
reply