How NOT to wind up a rating on Habré
Continuing the article . The tale of how Habr patched another way to increase the rating faster than I had time to snoop on it.
We continue to explore the Habrahabr website API and accidentally find changes in the mechanics of rating assignment.
From the shore, I want to say that the article is entertaining in nature and does not claim to be scientific.
So, if you are kind today, then welcome to cat.
Introduction
Well, Habr, you introduced a limit of 3 posts per day, but you can’t just ban flood in the comments. And as we know, every comment isvitamins, proteins and calcium potential 0.1 ratings, which in total give approximately the same volume as the posts.
You might have thought: “Ahh, just make comments with pluses and that’s all ... Well, it’s not interesting,” but no, we’ll still scoff at the Habr’s API and catch funny errors.
So, for this recipe we will need: one old article, so as not to attract attention, and a verified account of a friend whom we will push to the top.
By the way, despite the fact that the article is old (as much as six months), it still creeps into the most discussed article:
Fortunately, this is the 'most talked about', far from hanging on the front page, you can not worry.
In fact, we need two requests: to post a comment and to approve it.
API
As it turned out, everything was pretty clumsy in the request to post a comment, but found a strange thing. The parameters in the API for the desktop version and the mobile are slightly different.
For example, creating a comment from a regular browser, we send the following request, specifying add as the action:
But if you do the same from the mobile version, which comes with the m prefix. in the site’s path, now the action takes on the value of mobile_add:
This solution is a bit surprising, since you can determine the site’s behavior at the level of headers specific to the mobile version. Nevertheless, I did not find significant differences in behavior on this basis.
A small digression.
I tried to see how the haber’s iOS application was done, but everything turned out to be very serious there and SSL Pinning was turned on, which prohibits eavesdropping, which cannot be bypassed even with the help of a fake root certificate:
Now I'm trying to arrangeharakirijailbreak your iPhone to get the chance to play with the API through black magic , but this is still in the process. Technically, the API is actually open, there is even a boa on a boa and puff , but without a token issued by the hubr, nothing will work. Or I’ll just find an Android device, but witchcraft is also needed there.
But with voting, everything is already more interesting.
It turned out that the method of voting for comments and articles is generally the same and differs only in the only parameter responsible for the article in which the comment is located.
Let me remind you the structure for voting for the article:
body = {
# id статьи
'ti' => params[:id],
'tt' => 2,
'v' => 1
}
And here is what the voting structure for the comment in it looks like:
body = {
# теперь это id комментария
'ti' => params[:id],
'tt' => 3,
# а вот это id статьи
'pti' => 322908,
'v' => 1
}
In my humble opinion, done a little crooked.
The same parameter in the same action has two different purposes. In general, this is one request for two different actions. But it is not for me to judge the habr, all this, in the end, works.
And you can already calm down, run the script and go drink tea, but that would be boring.
We will play with the parameters. What if v is set to 100? No, he writes that the page was not found. Or maybe -100? Same.
In general, habr always returns 404 for any incorrect action:
Whether it is an error in a parameter or something else. You can’t understand if there really is no page or if you just sealed somewhere. This is probably effective against hackers, but was it convenient in the process of developing the site?
And yet, at a certain moment, the Habr freaked out:
It happened when v became equal to zero. I heard something from the kindergarten teacher when I threw bread at dinner.
And if at the same time you specify an incorrect comment id , then we will be scolded:
Of the interesting points, I noticed that the comment number is incremented by 2, and not by one.
That is, if the first comment comes with the value:
comment_100002
then the next one will already be
comment_100004
I am sure that another comment could not wedge between them. The situation was stably reproduced over a dozen tests late at night with a break in a split second.
But maybe I'm wrong. If anyone can explain the logic of this phenomenon, then write in the comments.
Mortal sins
But what about without the human factor. This time I decided not to hide and just rivet comments on my old article, without hiding it in draft copies. And that was my fatal mistake.
Someone was so bogged down by the kind of undeserved advantages that he was not too lazy to go over and put a minus for each of the 50 (oh my god) comments:
Fortunately or not, by that time the shop had already been covered, before I could even get a dozen points. I noticed this only after a complete run of the script, going into the profile to enjoy my victory ... but only complete disappointment awaited me.
Naturally, I decided not to leave it just like that and went straight to support c asking where my rating had gone, which I had so zealously wrapped up. And this is what they answered me:
Apparently, 'not so tangibly' now means 'nothing at all'.
Seriously, when asked directly how much the comments now contribute, the support answered: “We are not authorized to disclose this information.”
Even when I later walked around on someone else’s comments in different articles, leaving the pros and cons to reveal any kind of addiction, nothing came of it, unfortunately. Regardless of how many people have already voted for a certain comment, a lot or no one at all, my vote could not change the author’s rating.
If you have any information about this, I will be glad to hear.
Conclusion
So the habr quickly cooled my ardor, showing that I was still far from the hacker.
Вообще, конечно, суть совсем не в накрутке, а в исследовании сайта. Впечатление сложилось такое, что в Хабре, как и везде, есть множество legacy кода и решений, оставшихся с самого запуска проекта, которые просто нет смысла переделывать.
В следующий раз будем копать уже в более серьезном направлении, в сторону реального API, используемого в мобильном приложении, которое даже на поверхностный взгляд выглядит профессионально.
UPD1: Comment numbers go through 2 for compatibility with Geektimes: on Habr even, on Geektimes odd. Thanks lexnekr for the clarification .
UPD2: The opinion about the increment id drove up. This is said to be due to the configuration of MySQL. Thanks to youROCK and kafeman for the info .
I will be grateful for the proofs if someone can provide them.
UPD3: But I am more impressed with the third opinion: