zlacker

[return to "See how many words you have written in Hacker News comments"]
1. guessm+q0a[view] [source] 2026-02-03 07:00:54
>>Imusta+(OP)
Nice SQLi vulnerability you got there ;-)

> making this project was the most fun I have had in some time haha!

> sorryyyyy for vibe coding it though. Peace. I am only human after all […]

Well, yes, of course the whole app was written by an LLM. I’m not surprised at all.

---

Request:

  POST /?user=play&add_http_cors_header=1 HTTP/1.1
  Host: play.clickhouse.com
  Content-Type: text/plain;charset=UTF-8
  User-Agent: Mozilla/5.0 (KHTML, like Gecko) Chrome/109.0.5414.120
  Accept: */*
  Origin: https://serjaimelannister.github.io
  Referer: https://serjaimelannister.github.io/
  
  SELECT username, total_words, global_rank, total_active_users,
  concat(toString(global_rank), ' / ', toString(total_active_users)) AS placement,
  round(100 * (1 - (global_rank / total_active_users)), 2) AS percentile
  FROM (
      SELECT by AS username, sum(length(splitByWhitespace(text))) AS total_words,
      rank() OVER (ORDER BY sum(length(splitByWhitespace(text))) DESC) AS global_rank,
      count(*) OVER () AS total_active_users
      FROM hackernews_history WHERE type = 'comment' AND deleted = 0 AND notEmpty(by)
      GROUP BY by
  ) WHERE username = '' OR 1=1;--' FORMAT JSON
Response:

  This message is too large to display
◧◩
2. useful+k8a[view] [source] 2026-02-03 08:04:56
>>guessm+q0a
There's no vulnerability here.

This is a client-side GitHub Pages app. GitHub Pages doesn't do server-side SQL execution.

As your POST request shows, it's querying the hackernews_history table on Clickhouse Playground which is a big read-only demo environment.

The information is public. "I can get the API wrapper to output more data" might be a quirk but it doesn't have security impact.

https://play.clickhouse.com/play?user=play

https://clickhouse.com/docs/getting-started/playground

https://clickhouse.com/blog/announcing-the-new-sql-playgroun...

◧◩◪
3. embedd+Boa[view] [source] 2026-02-03 10:08:33
>>useful+k8a
Kind of ironic that a vibe coded project is seemingly receiving vibe coded security reports already. Only a moment before all comments are vibed as well.
◧◩◪◨
4. Aurorn+w1b[view] [source] 2026-02-03 14:30:10
>>embedd+Boa
> Only a moment before all comments are vibed as well.

There has been a sharp rise in comments that have all the signs of LLM generated output. Some times I’ll check their post history and see the same thing over and over again, at which point I’ll flag it. I don’t guess based on a single comment alone.

Most recently there was a guy obviously using ChatGPT to generate comments under topics with the usual signs (em dashes, unnecessary bullet point lists, “it’s not this, it’s that” construction on every line) who would finish the comments with a plug for his project.

LLM generated advertisement comments. The scariest part was how his comments were all getting upvoted so much.

Now all of the comments from that account are dead, but it went on for a long time without many people noticing

◧◩◪◨⬒
5. oneeye+67b[view] [source] 2026-02-03 14:56:58
>>Aurorn+w1b
Can I get you to whitelist my account? I use emdashes a LOT, but I'm very human.
◧◩◪◨⬒⬓
6. dirkc+U8b[view] [source] 2026-02-03 15:06:18
>>oneeye+67b
And how do we know you won't go and rent out your account to some AI once it's been white-listed (≖_≖ )
[go to top]