It started with a question, Is Qato a serious Quora clone attempt? Wait, what is Qato? On its Twitter profile, Qato is described as enterprise Q&A system, developed by DZone. It allows users to switch effortlessly between Quora, OSQA and StackOverflow themes.
Qato, the Quora look-alike
One of Quora engineers poked around the Qato website and discovered security vulnerability. He described his methodology:
I was able to inject a textbook Cross-Site Scripting attack just by asking the following question:
Note especially the blankness of the page. What’s worse, as long as my question shows up in the feed, the main page of the site will presumably remain blank, too:
Yep, still blank.
Of course choosing to call $(‘body’).fadeOut(2000) is among the more harmless things I could have done.
And… still blank.
For obvious reasons, Rick Ross, President of DZone, doesn’t find this amusing. He responded by stating that Qato is Qato is a Q&A platform and Quora-like skin is just one of many Qato themes, and Qato gives site owners the choice of which theme and user experience to offer. According to him, the Quora-like theme (and the answers.qato.com site) are really just work-in-progress prototypes. and should probably not have allowed them to be publicly accessible. [NOTE: His full answer here.]
His parting shot: I am surprised that Quora policy permits developers to engage so openly in vandalizing other people’s websites.
And Qato also tweeted this (shortly before this posting):
I think Qato should be thanking Rick did express his gratitude to the Quora engineers for exposing the vulnerability in his answer. But then again, no need to take a jab at Quora for condoning website vandalism. No harm done. Just a curious engineer flexing his hacking muscles. Maybe call this, say, ethical vandalism?
UPDATE: The answer posted by the Quora engineer has since been deleted. Here’s a screenshot of the answer:
Quora engineer Ben Newman posted a comment below.