You wouldn't necessarily need someone to volunteer their username to make this work. This unfixed and ancient (2002!) browser vulnerability leaks information, via the styling of 'visited' links, about other URLs you've visited:
...is USERNAME. So another exploit -- still sneaky but not quite fraudulent, and not especially unique to HN -- would be to design an offsite page that does one or both of (1) greets HN users by name upon their visit; (2) logs which of some chosen set of HN users has visited the page.
If by 'brute force' you mean 'iterate through all legal usernames', I hadn't even thought of that!
I would expect someone instead to pick the leaderboard, or some other extant set of names (eg: Google [site:news.ycombinator.com inurl:user]), and just iterate over those.
(Sad aside: try that query at Google or Yahoo, and review the top 100 results. An awful lot of the usernames ranking highest are drug names.)
Yeah, I meant brute force over all registered usernames. I wrote a page that used the vulnerability you mentioned to check to see if a user has visited any of the top 100,000 websites: http://tlrobinson.net/misc/history.html (it seems to be broken now though) and it can churn through 100,000 tests in a few seconds.
http://seclists.org/bugtraq/2002/Feb/0271.html
In many cases, the only person who will have visited all of...
http://news.ycombinator.com/threads?id=USERNAME
http://news.ycombinator.com/submitted?id=USERNAME
http://news.ycombinator.com/saved?id=USERNAME
http://news.ycombinator.com/user?id=USERNAME
...is USERNAME. So another exploit -- still sneaky but not quite fraudulent, and not especially unique to HN -- would be to design an offsite page that does one or both of (1) greets HN users by name upon their visit; (2) logs which of some chosen set of HN users has visited the page.