zlacker

[return to "See how many words you have written in Hacker News comments"]
1. guessm+q0a[view] [source] 2026-02-03 07:00:54
>>Imusta+(OP)
Nice SQLi vulnerability you got there ;-)

> making this project was the most fun I have had in some time haha!

> sorryyyyy for vibe coding it though. Peace. I am only human after all […]

Well, yes, of course the whole app was written by an LLM. I’m not surprised at all.

---

Request:

  POST /?user=play&add_http_cors_header=1 HTTP/1.1
  Host: play.clickhouse.com
  Content-Type: text/plain;charset=UTF-8
  User-Agent: Mozilla/5.0 (KHTML, like Gecko) Chrome/109.0.5414.120
  Accept: */*
  Origin: https://serjaimelannister.github.io
  Referer: https://serjaimelannister.github.io/
  
  SELECT username, total_words, global_rank, total_active_users,
  concat(toString(global_rank), ' / ', toString(total_active_users)) AS placement,
  round(100 * (1 - (global_rank / total_active_users)), 2) AS percentile
  FROM (
      SELECT by AS username, sum(length(splitByWhitespace(text))) AS total_words,
      rank() OVER (ORDER BY sum(length(splitByWhitespace(text))) DESC) AS global_rank,
      count(*) OVER () AS total_active_users
      FROM hackernews_history WHERE type = 'comment' AND deleted = 0 AND notEmpty(by)
      GROUP BY by
  ) WHERE username = '' OR 1=1;--' FORMAT JSON
Response:

  This message is too large to display
◧◩
2. useful+k8a[view] [source] 2026-02-03 08:04:56
>>guessm+q0a
There's no vulnerability here.

This is a client-side GitHub Pages app. GitHub Pages doesn't do server-side SQL execution.

As your POST request shows, it's querying the hackernews_history table on Clickhouse Playground which is a big read-only demo environment.

The information is public. "I can get the API wrapper to output more data" might be a quirk but it doesn't have security impact.

https://play.clickhouse.com/play?user=play

https://clickhouse.com/docs/getting-started/playground

https://clickhouse.com/blog/announcing-the-new-sql-playgroun...

◧◩◪
3. embedd+Boa[view] [source] 2026-02-03 10:08:33
>>useful+k8a
Kind of ironic that a vibe coded project is seemingly receiving vibe coded security reports already. Only a moment before all comments are vibed as well.
◧◩◪◨
4. KellyC+UBa[view] [source] 2026-02-03 11:51:30
>>embedd+Boa
wasnt Moltbook developed for this: In the end agents doing vibe coding between each another :-D
◧◩◪◨⬒
5. embedd+1Ea[view] [source] 2026-02-03 12:07:17
>>KellyC+UBa
Honestly? I don't know. I've tried a bunch of time to "browse" the website, opening posts like https://www.moltbook.com/post/4af5180a-929a-429a-aa9d-91edf9... but I don't see any discussions happening at all, it seems like some LLM generated a post, the bunch of LLMs generated something with semblance of replies to that post but then that's it, there is no conversations/debates/discussions at all, just basically spam to the top post or non-sense replies.

Maybe I'm expecting the wrong thing? Reading it wrong? I basically don't understand what people see in this. If the agents were talking, collaborating or what not, which I thought it was about, I'd kind of get it. Is it just broken right now, wrong example or something else?

[go to top]