Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Semi-off-topic, but I found something seriously wrong with Craigslist.

https://post.craigslist.org/manage/1340717167/tkrju#tr231033

That link will allow you to edit that post. You don't even have to be logged in.

I've already alerted them, but let's see how long this lasts.



The hashtag isn't necessary, ie https://post.craigslist.org/manage/1340717167/tkrju works too.

Actually, I think craigslist probably views this more as a feature than an exploit. Since you don't need an account to post on craigslist, they can't do normal cookie based authentication, so they just give you a secret url for editing your page. Unfortunately, the only thing secret about the url is a 5 character alpha-numeric string, which I suppose would be possible to brute force.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: