News

Hacker Noon fixes leaky drafts: what about your blog?

Update Aug-13-2020: Hacker Noon has fixed the issue and a reply via a tweet provided more information:

URL removal request went through https://google.com/search?q=site%3Aapp.hackernoon.com%2Fdrafts%2F… . all the pages on http://app.hackernoon.com had a `<meta name=”robots” content=”noindex, nofollow” />` tag, which has been updated content=”none” per https://developers.google.com/search/reference/robots_meta_tag#none


Does your CMS leak drafts?

I don’t know about you but I’d be pretty concerned if I found out an unfinished work or report I was working on, was visible to the public.

It is a common feature of blogging platforms to let authors “export” drafts that can be shared with friends and peers to seek feedback.

Ideally, these would need the viewer to sign-in to the website, but not always.

Medium, dev.to, and other sites have similar features which let you “preview” and share draft versions of your blog posts.

But in the case of Hacker Noon, I came across an interesting finding.

Google is indexing these unpublished drafts and it is not clear why.

Google indexing Hacker Noon unpublished drafts
Source: SecurityReport.com

Moreover, unlike with Medium or dev.to, because of Hacker Noon’s predictable URL structure of drafts, anyone can simply run a search with the following string to see these:

site:app.hackernoon.com/drafts/

This shows various kinds of unfinished pieces which are still in progress, being edited live, were submitted, or rejected at some point.

Hacker Noon draft in progress leaked via Google results

Indexed from public forums?

My first hunch was, perhaps, these drafts are being indexed by Google from public forums.

It isn’t uncommon for Hacker Noon authors to publicly post their finished draft links in community forums.

Typically authors do this to request editors to publish their drafts that have been sitting in the editorial queue for a while.

But in case of this particular article, for example, doing a search for its content yielded the one and only result: the unfinished draft.

Further to my investigation, there’s no “robots.txt” file on the “app.hackernoon.com” subdomain which could potentially prevent this by simply telling search engines not to look beyond “/drafts/.”

The “robots.txt” existing on the main hackernoon.com domain doesn’t (and can’t) do much in preventing the automatic indexing.

Hacker Noon robots.txt file on the main domain

Finished pieces have ‘draft’ versions too

I have also seen “draft” clones of already published, live stories too.

For example, this published article can be accessed at its live link but also has its draft version available via search engines.

Hacker Noon draft version of a live story

Thankfully, I was not able to overwrite any drafts. Altering the content and pressing “Save” or “Save and Publish” buttons would simply not bring about any updates—unless done by the rightful author of the story.

But the issue remains, why can I see unpublished drafts through Google?

And if the issue is with Hacker Noon, a popular “independent technology media site with 7,000+ contributing writers, 200,000+ daily readers and 8,000,000+ monthly pageviews,” how many other blogs may be impacted by flaws like these?

In the meantime, you may only want to put in Hacker Noon drafts what you’re okay with the world seeing.

Perhaps, use an offline word processor, and copy-paste your final content into Hacker Noon drafts just when you’re ready to submit.

Disclosure note: I had reported this issue to the Hacker Noon team last week via both email and Twitter but haven’t heard back since. Given this is a low severity flaw (most drafts wouldn’t reveal anything overly sensitive) and that Google already shows up the drafts, I have disclosed this flaw here.

© 2020. Ax Sharma. All Rights Reserved. Written for Security Report.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.