#reddit-dev

/

      • anant_ joined the channel
      • TheStygianSun joined the channel
      • TheStygianSun has quit
      • reostra has quit
      • john2x joined the channel
      • anant_ has quit
      • anant_ joined the channel
      • john2x has quit
      • anant_ has quit
      • anant_ joined the channel
      • powerlanguage has quit
      • anant_ has quit
      • john2x joined the channel
      • anant_ joined the channel
      • DEADB33F
        How hard would something like this be to implement... www.reddit.com/comments/23aa6k/-/ch6iqbk
      • AGSPhoenix
        Don't gold users already get notified when they're mentioned? I'd imagine that code could be extended to subreddits
      • DEADB33F
        The username mention system is pretty straightforward though, it just generates a message to the user when they're mentioned. For subreddits you'd have to maintain a listing of which comments refer to which subreddits, etc.
      • and I don't know how that'd work.
      • L1fescape has quit
      • L1fescape joined the channel
      • AGSPhoenix
        Hmm... I can think of a lot of ways it could be done, but not a lot of ways that it *should* be done
      • L1fescape has quit
      • spladug
        wouldn't be terribly difficult. don't know if it's something we'd want though.
      • powerlanguage joined the channel
      • DEADB33F
        eing able to see where inbound links are coming from would be quite handy for mods though.
      • Maybe just general referrer stats on traffic pages instead?
      • "top referring subreddits", "top referring external domains" etc
      • bsimpson has quit
      • aperson
        It'd definitely help to detect vote gaming
      • AGSPhoenix
        Oh boy. SRD fuel
      • TheStygianSun joined the channel
      • TheStygianSun has quit
      • mohland joined the channel
      • john2x has quit
      • mohland has quit
      • john2x joined the channel
      • redtaboo has quit
      • redtaboo joined the channel
      • r04r is now known as r04r|away
      • LinksEz joined the channel
      • mmint has quit
      • null_operator_ has quit
      • null_operator joined the channel
      • powerlanguage has quit
      • powerlanguage joined the channel
      • john2x_ joined the channel
      • john2x has quit
      • whitesheepwall joined the channel
      • whitesheepwall has left the channel
      • mikenon_away has quit
      • L1fescape joined the channel
      • LinksEz has quit
      • L1fescape has quit
      • mikenon_away joined the channel
      • L1fescape joined the channel
      • L1fescape has quit
      • duoi joined the channel
      • duoi
        hi
      • AGSPhoenix
        hi
      • duoi
        i'm curious as to how much power a moderator has over their subreddit's CSS. can i completely hide everything and put a fake login screen there instead?
      • AGSPhoenix
        Probably.
      • Well, at least you could make it look right
      • Not sure about functionality
      • I don't think you can define forms with CSS, so you have to work with what reddit gives you in that regard
      • also, RES users can ignore your CSS
      • Also, everything except the main site ignores your CSS too.
      • duoi
        yeah, i understand that much. im just asking to understand if phishing attacks are possible. a recent modification in chrome that hides the directory structure from the URL's will make this a concern.
      • so if users would visit reddit.com/r/shadyphishingpage, they wouldn't be able to discern it from the main reddit stream.
      • as they'd both show up as reddit.com.
      • AGSPhoenix
        Like I said, I don't think you can do anything with normal CSS to get the browser to submit data to anything but reddit itself
      • duoi
        even if it is submitted via GET to an external page?
      • AGSPhoenix
        I don't think you can make that happen with CSS
      • You cannot make a form that submits to badguys.com, you can only restyle what reddit already has (again, I think)
      • DarkMio has quit
      • DEADB33F
        About the worst you can do is style the submit page to look like the login form and cause people to accidentally submit their login credentials as a subreddit submission.
      • ...then style the comment listing pages to look like a "thankyou for signing in, click here to continue" page.
      • AGSPhoenix
        ...that's really clever
      • DEADB33F
        so they don't know they just made a submission
      • Mark_
        i dont run any subreddits
      • but any js? or css only?
      • DEADB33F
        css only
      • duoi
        DEADB33F, thats what im thinking
      • AGSPhoenix
        also duoi, I just installed Canary, and I don't see the change you posted. Is it just a proposal at this point? Because if it hits the main channel, I'm switching to one of the tiny-userbase hipster browsers
      • Mark_
      • what about pseuedo selectors
      • duoi
      • DEADB33F
        Actually, probably a better one would be to make the flair 'edit' button cover the whole page which then pops up a restyled flair selector which looks like a password confirmation box.
      • That could probably be done pretty seamlessly.
      • and would save their password as their userflair
      • You could probably even target specific users with that one
      • Mark_
        i imagine the css is at least sanitized for xss
      • dunno
      • im not bored enough to try but css is a lot more powerful than it used to be ;P
      • DEADB33F
        you're still limited to only using the elements available on the page.
      • so it's not XSS
      • duoi
        ^this
      • Mark_
        yes but what about psuedo selectors
      • :after etc
      • or is it not free form css submission?
      • looks like html doesnt work in content anyway
      • oh well
      • duoi
        the submit self-post concept is wonderful though
      • im sure that can be used to exploit users
      • DEADB33F
        I think the flair text entry input would be a more crafty approach.
      • AGSPhoenix
        And stealthier
      • DEADB33F
        Since the the button has a `data-name="username"` attribute you can hide it from users you aren't bothered about phishing and can target individual users.
      • which makes it even more evil
      • Anyway. Probably should be talking about it here.
      • knock up a proof of concept and earn yourself a whitehat
      • duoi
        i can always throw together a proof of concept and solidfy my blackhatness
      • j/k
      • Mark_
        wouldnt be too hard
      • target moderator accounts
      • duoi
        ill just write a scathing article about google's intent to take away your security
      • :p
      • Mark_
        try to pick on one of those trending subreddits
      • AGSPhoenix
        ...or admin accounts o.o
      • Wait, probably a bad idea
      • Mark_
        well im talking about just getting traffic to the subreddit in general
      • AGSPhoenix
        If anyone would see through it, they'd be the ones
      • Mark_
        to be honest im not sure what fun stuff youd really do with some random janky reddit account
      • duoi
        getting traffic wouldn't be too difficult. rank comments on the frontpage via the "rising" sort option, and then edit them once they're at the top
      • Mark_
        except hope they recycled passwords
      • duoi
        just being able to steal reddit accounts is enough. if you add in an auto-posting/voting bot, you can rank stuff fairly well via established accounts
      • Mark_
        i mean more of an endgame purpose
      • trash a subreddit, etc? not to exciting
      • too*
      • duoi
        yeah, i mean spamming for profit. if i manage to acquire 5000 legitimate and established reddit accounts, i can game reddit much more efficiently than using 1 day old 0 post accounts etc
      • not to say I as in this is what I want to do, I'm saying "i" as in, if i was a spammer
      • AGSPhoenix
        Would still be a bit tricky, since you can't just control all the accounts from one or two IPs without reddit noticing
      • Oh god, is it really 5:41?
      • ugh, I'm going to bed. You folks have fun breaking things
      • duoi
        proxies are a dime a dozen.
      • AGSPhoenix
        ...yeah, but thousands?
      • duoi
        yeah. about $1 lol.
      • AGSPhoenix
        true
      • Anyways, night
      • Mark_
        its not even a matter of proxies anymore
      • so many freebies
      • heroku, appengine, openshift, azure
      • mobile devices..
      • so many things are ephemerally natted now
      • not to mention mobile cgn
      • there probably are 1000 users on reddit from the same ip address easy sometimes
      • maybe more
      • infact id hope they have some sort of heuristics that are better than 'ipaddress derrr'
      • null_operator_ joined the channel
      • LinksEz joined the channel