Quora engineers accused of vandalizing a clone’s website

By on March 17, 2011

It started with a question, Is Qato a serious Quora clone attempt? Wait, what is Qato? On its Twitter profile, Qato is described as enterprise Q&A system, developed by DZone. It allows users to switch effortlessly between Quora, OSQA and StackOverflow themes.

Qato, the Quora look-alike

One of Quora engineers poked around the Qato website and discovered security vulnerability. He described his methodology:

I was able to inject a textbook Cross-Site Scripting[1] attack just by asking the following question:

Note especially the blankness of the page. What’s worse, as long as my question shows up in the feed, the main page of the site will presumably remain blank, too:

Yep, still blank.

Of course choosing to call $(‘body’).fadeOut(2000) is among the more harmless things I could have done.

And… still blank.

For obvious reasons, Rick Ross, President of DZone, doesn’t find this amusing. He responded by stating that Qato is Qato is a Q&A platform and Quora-like skin is just one of many Qato themes, and Qato gives site owners the choice of which theme and user experience to offer. According to him, the Quora-like theme (and the answers.qato.com site) are really just work-in-progress prototypes. and should probably not have allowed them to be publicly accessible. [NOTE: His full answer here.]

His parting shot: I am surprised that Quora policy permits developers to engage so openly in vandalizing other people’s websites.

And Qato also tweeted this (shortly before this posting):

I think Qato should be thanking Rick did express his gratitude to the Quora engineers for exposing the vulnerability in his answer. But then again, no need to take a jab at Quora for condoning website vandalism. No harm done. Just a curious engineer flexing his hacking muscles. Maybe call this, say, ethical vandalism?

UPDATE: The answer posted by the Quora engineer has since been deleted. Here’s a screenshot of the answer:

Quora engineer Ben Newman posted a comment below.

Better Tag Cloud