Quora engineers accused of vandalizing a clone’s website

By on March 17, 2011

It started with a question, Is Qato a serious Quora clone attempt? Wait, what is Qato? On its Twitter profile, Qato is described as enterprise Q&A system, developed by DZone. It allows users to switch effortlessly between Quora, OSQA and StackOverflow themes.

Qato, the Quora look-alike

One of Quora engineers poked around the Qato website and discovered security vulnerability. He described his methodology:

I was able to inject a textbook Cross-Site Scripting[1] attack just by asking the following question:

http://answers.qato.com/index.html

Note especially the blankness of the page. What’s worse, as long as my question shows up in the feed, the main page of the site will presumably remain blank, too:

http://answers.qato.com/index.html

Yep, still blank.

Of course choosing to call $(‘body’).fadeOut(2000) is among the more harmless things I could have done.

And… still blank.

For obvious reasons, Rick Ross, President of DZone, doesn’t find this amusing. He responded by stating that Qato is Qato is a Q&A platform and Quora-like skin is just one of many Qato themes, and Qato gives site owners the choice of which theme and user experience to offer. According to him, the Quora-like theme (and the answers.qato.com site) are really just work-in-progress prototypes. and should probably not have allowed them to be publicly accessible. [NOTE: His full answer here.]

His parting shot: I am surprised that Quora policy permits developers to engage so openly in vandalizing other people’s websites.

And Qato also tweeted this (shortly before this posting):

I think Qato should be thanking Rick did express his gratitude to the Quora engineers for exposing the vulnerability in his answer. But then again, no need to take a jab at Quora for condoning website vandalism. No harm done. Just a curious engineer flexing his hacking muscles. Maybe call this, say, ethical vandalism?

UPDATE: The answer posted by the Quora engineer has since been deleted. Here’s a screenshot of the answer:

Quora engineer Ben Newman posted a comment below.






Better Tag Cloud