Share
In the late hours of Sunday, a proof of concept demonstration on how Reddit, the popular news portal often compared to Digg, handles JavaScript went viral, causing frustration and confusion.
Reddit XSS was a demonstration that went viral. (IMG: Reddit)
The JavaScript flaw led to an XSS (Cross-Site Scripting) demonstration that triggered when the user’s mouse was hovered over a specially coded comment. Hovering over one of the test comments caused a chain reaction that started in the “Guy on a bike in New York 'high fives' people hailing cabs” thread.
The XSS resided in the code that deals with how markdown syntax, such as punctuation, links, etc. was handled by Reddit. This allowed JavaScript left in comments to be executed. The user who started the annoying XSS attack, xssfinder, had their account disabled, and the technical teams on Reddit moved quickly to delete the rogue comments site-wide.
“We've fixed a couple of underlying bugs in markdown.py, and will write a blog post for those interested once the dust settles. We've also gone through and deleted the offending comments,” commented one of Reddit’s administrators, KeyserSosa.
Once the code triggered, several reports noted that it would cause any registered Reddit user’s previous comments to change, spreading the XSS across the entire site. It should be noted that at no time were users subjected to any malicious code other than the self-propagating comments, and Reddit never went offline because of the demonstration.
“This exploit was a good old-fashioned worm, and its only purpose seems to have been to spread (and spread it did). The effect was limited to the site, and no user information was compromised,” KeyerSosa added.
The issue on Reddit, while harmless for the most part, comes just after a self-propagating exploit on LiveJournal that wasn’t so harmless.
The LiveJournal attack saw users who were logged into the site have their email addresses stolen, and their account privacy settings altered, potentially exposing hidden journal entries to the public. All because they viewed a malicious post. After that, infected users would have the same malicious code embedded into their own posts, spreading the infection.
“XSS vulnerabilities remain largely identical,” said WhiteHat Security Founder and CTO Jeremiah Groassman.
“What we are seeing now is the bad guys taking more active and frequent uses of XSS worms. While XSS issues have been the most prevalent issue for years, they've been largely gone unexploited. Between this incident, LiveJournal's and others we could be seeing a shift.”
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story