Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's a little spooky. I wonder how many people have AJAX posts for handling deletes?


In order to delete any content owned by a user, the Google bot would have to have logged in as that user first, which seems unlikely - so long as all destructive actions are behind access control, which they definitely should be already.


This is very far from true. Failing to implement access control or even authentication on POST is a routine error even in applications built in the last couple of years.


Well, maybe not for much longer...

Less facetiously: the Googlebot isn't making random POST requests, it's just executing Javascript on the page. So not only would you need an unprotected POST /comments/1234/delete endpoint, you'd also need to serve the UI and Javascript for POSTing to that endpoint to an unauthenticated user.

I'm sure there are still people out there doing that, but at least it's more than a simple error of omission.


I agree that this Googlebot change is unlikely to be the end of the world.


It might be for wikis that allow anyone to delete content.


Do those wikis also have JS that attempts to delete content without user interaction?


There have been evil spam bots executing JS and posting forms for some time. Those sites were already screwed.


Well, maybe not for much longer...

I wonder how much the Google Web Accelerator debacle made people realize that GET is supposed to be idempotent.

Perhaps Googlebot will do the same for POST and authentication.


It definitely requires that you be more vigilant in the design of something like crowdsourced flagging, though.


http://thedailywtf.com/Articles/The_Spider_of_Doom.aspx

I think this is more common than you believe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: