Slashdot Mirror
Reddit Javascript Exploit Spreading Virally
Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."
seriously. using the 'onhover' event is considered inventive enough to call it a proof of concept?
"NoScript FTW!" comments commencing in 3... 2... 1...
I skimmed the FAQ on the first link, and it seems reddit is responsible for not scrubbing input.
Next!
it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.
*cough*Slashdot*cough*
No, it won't. The other 6 million javascript exploits didn't do that. What makes you think this one will?
I'm a long time slashdotter and now spend equal time on reddit. What draws me to reddit is the spartan interface. Of course, the content on reddit is halfway between slashdot's and digg's, so I (unfortunately) have to keep coming back.
Just as exploits in the image processing components of web browsers will hopefully educate people to surf in Lynx? Or exploits in their HTML rendering will hopefully educate people to surf by piping wget through less?
This was not because of Javascript, nor is Javascript going away because of this.
Don't thank God, thank a doctor!
Indeed, it will educate people to surf with javascript turned off, and it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.
Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page. It annoys me to no end when someone says the solution to security holes is to turn these features off. The solution is for programmers to stop being idiots and write secure code, both in web applications and in the browsers themselves.
Over the years I've also spent quite a bit of time on social sites like Slashdot, Fark, Metafilter, Digg,etc.... but now spend the majority of my time on Reddit. I actually like the design (its simple, efficient and useful). But the beauty of Reddit is the organized structure of the sub-reddits. If I'm short for time, i can just quickly browse the frontpage. If I have more time, I can browse my favorite sub-reddits where people know me. The commenting system is easy on the eyes and easy to follow. and the userbase is a nice balance of attitudes.
Hey, everyone, there is a javascript exploit on Reddit! Click on these links to Reddit to learn more.
Incidentally, this old sock smells awful. You should smell it.
Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page. It annoys me to no end when someone says the solution to security holes is to turn these features off.
Wrong. We're not ignorant, we just think that "dynamic content" isn't important or useful.
As a web developer, I beg to differ. There is absolutely no excuse for writing a page that doesn't 'fail gracefully' when javascript isn't present. Let's face it, for every reputable page out there (att.net, youtube.com, etc) there are a hundred others designed by average joe-schmo webprogrammers. And lord only knows if they designed their page securely, and lord only knows if someone has hacked them and injected malicious scripts. I seem to recall hearing a few weeks ago that the majority of malicious scripts were being put into hollywood celebrity gossip sites that people were hitting off their google searches.
For me, the solution is to just whitelist the sites I visit frequently, only allowing scripts/cookies when I know they can be trusted. I'm not saying that you shouldn't design without javascript, but I am saying that you shouldn't assume that everyone visiting your page is going to have it. Besides, how hard is it to write a page that vomits up its contents in a readable form when the javascript doesn't run to position all the css objects? It doesn't have to look pretty, but it should be usable.
There's a huge difference in complexity between image/HTML renderer and Javascript. Image file formats and HTML pages are not Turing complete, while Javascript is. Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code, while Javascript by definition can never be; the whole point of Javascript is to allow arbitrary code execution, so the best you could ever prove is that the code never leaves the confines of the Web browser - but having a script post comments does not require that.
Yes, this was because of Javascript, but no, sadly it won't be going away.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Any proposal that relies on any group of people to not be idiots is doomed to failure.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
Years ago I actually proposed to the W3C and the mozilla bunch to add a tag to disable dynamic stuff like javascript.
Basically it would work something like this:
<shield lock="some_random_hard_to_guess_string_here" enabled="basic_html_only">
The browser will only recognize basic HTML stuff here, it won't recognize javascript or any _future_ dynamic stuff that the W3C or browser people think off
</shield unlock="some_random_hard_to_guess_string_here">
The some_random_hard_to_guess_string_here would be different for each page.
The idea is while the website should still have filters, even if in the future the W3C or browser wiseguys create some new fangled way of inserting javascript or some other dynamic content that the filters do not protect against (since it's new and the filters have not been updated), the browser will just ignore the new stuff that some hacker inserts when it's between the tags.
To me the current state of things is a bit crazy - basically it's like having a car with 1000 gas pedals (tags) and to stop the car you have to make sure all 1000 pedals are not pressed (escaped or filtered). There is not a single brake pedal! And worse, the W3C or MS or Mozilla or whoever could introduce a new gas pedal, and you the website operator have to filter out the new gas pedal when it's introduced.
With something like this tag there is a brake pedal, so even if you don't manage to filter out all the 1000 gas pedals, the brake helps to keep stuff safe.
If they had implemented such a tag, the google and myspace worms would not have worked for so many browsers.
FWIW, these sort of worms are not new. I managed to find a hole in advogato some years ago (iframe worm) - and hence my suggestion to the W3C and Mozilla.
But it seems to me than NONE of them are really interested in improving security. They're all just interested in inventing new gas pedals for people (and hackers) to step on. They're not even interested in creating a single brake pedal. They just pay lip service to security.
See the thing is - it's not too difficult to code a browser to go "OK from now on there's no such thing as javascript till I see a valid unlock tag", so even if there is a browser parsing bug and a hacker manages to insert javascript via a stupid browser bug (that the website filters naturally do not and cannot cater for) it does NOT matter - since javascript will be disabled - between those tags the browser will be respecting the flag that says "I do not know javascript, java and all that fancy stuff" - it does not even have to parse javascript - since for all intents and purposes between those tags, the browser does not know there's such a thing as javascript (or activex or flash etc).
This is very useful for sites that have to include 3rd party content - sites like slashdot or webmail sites or even sites that serve up ads from 3rd parties.
So by advising people to disable Javascript, I'm doing my part for killing off "Web Applications" and getting us back to good old Web Pages. Excellent.
Seriously, why would I want "dynamic content" when all that really means is a thousand pauses as more data is fetched? Give me static pages whenever possible. Better yet, give me a single large static page rather than a dozen small pages, so I don't have to wait while the next page is being loaded and rendered.
The solution is to understand that most web sites are not applications, from the users point of view, and stop stuffing them full of scripts that do nothing but slow things down.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
It's 2009. We should be able to use the internet the way it is intended, with javascript. Javascript isn't the problem, poor programming on reddit's behalf is the problem.
Similes are like metaphors
This isn't a lesson about javascript. It is a lesson we should have learned from Bobby Tables a long time ago. This shouldn't have been possible regardless of javascript.
For those not in the know: http://xkcd.com/327/
What exactly does being Turing complete have to do with it? If a scripting language weren't turing complete, but had direct read/write access to your file system, would it be any safer than JS?
The problem with Reddit isn't JavaScript but rather their markdown implementation. And the security threat here isn't to the user whose system is running the JS, but instead to the Reddit site. If you're using an up-to-date & secure browser, there's typically minimal risk to enabling JavaScript. That JavaScript can sometimes be used to do mischievous things is a reason why site owners should not recklessly allow JavaScript to be posted by untrusted users—just as you wouldn't want to allow unfiltered HTML code to be posted by untrusted users.
If someone posts a link on a Slashdot, and that link eventually gets Slashdotted, then does that mean hyperlinks are inherently unsafe and need to be disabled, or just that some common sense precautions need to be taken when using them?
This is not a weakness or an exploit, it's simply a javascript bookmarklet. You could make something like this for any site, such as Slashdot.
It's only an exploit if you can force other people to run that code without their consent.
If your security model is built on everyone else playing nice, you're fucked.
The problem here is in the browser allowing the hijack.
Yes, this was because of Javascript, but no, sadly it won't be going away.
So, all bots that crawl forums to spam them are Javascript? Honestly, if Javascript could do this, I wonder what a more complex bot could have done. Are we all going to lament about the programming language that some forum bot was written in? C? Python?
"Yes, this was because of C, but no, sadly it won't be going away."
Can't see why people get such a hardon bashing Javascript. "Because it's not a real programming language!"? I guess it's the same mentality that leads people to bash PHP, Perl, Ruby, ASP, etc. etc.
I look at it this way. Javascript is a tool and bad programming is bad programming and sadly, bad programming won't be going away.
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Image file formats and HTML pages are not Turing complete
Hey, ultranova! I'd like you to meet my friend, PostScript.
Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code,
Mr. Hofstadter has the most interesting record player...
I know what you mean on a non-literal level, but you have some interesting definitions of "safe" and "prove" that don't match well with computer science.
Dewey, what part of this looks like authorities should be involved?
There is absolutely no excuse for writing a page that doesn't 'fail gracefully' when javascript isn't present.
Yes there is. Making your page fail gracefully takes extra time and resources, which could be put to better use than supporting the 1% of users who choose to handicap their browsers by turning off javascript.
Failing gracefully is an important concern, but its not the only concern, and should be balanced against other priorities.
SpyDock: Scientific Python in a Docker container
And if you did have a braindead tripwire like that, it would have jumped on the fact that fuck is in the url in the summary.
The idea is to build the page in fail-state first, and then use JavaScript to enhance it. Or in other words, build your DOM and then restyle, add event listeners, etc.
It doesn't take extra time, and it's a great technique for future-proofing your pages. It also makes them accessible to people who, for whatever reason, can't take advantage of teh javascript. If your website is in the US, and is big enough for anyone to care, ADA compliance pretty much requires it.
There are many situations other than forum posting where it is desirable to include third-party content in your site. Advertisements are the first thing that jump to mind, but web widgets are also becoming popular. Having some browser markup that will limit what the third-party code can do would enable this to be done safely, without having to trust the third party or load and filter third-party content server-side.
The problem with Reddit isn't JavaScript but rather their markdown implementation. And the security threat here isn't to the user whose system is running the JS, but instead to the Reddit site.
Yes that's what makes this case special. Most javascript security problems are externalities to the websites that over-use javascript - they don't normally suffer the consequences of enabling javascript in the browser - the users do. This time the website is paying the price for their poor decisions. Finally the gander is getting goosed.
If you're using an up-to-date & secure browser, there's typically minimal risk to enabling JavaScript. That JavaScript can sometimes be used to do mischievous things...
No. Javascript vulnerabilities come in two flavors - exploited bugs and deliberate abuses. All of the web-tracking systems enhance their tracking of people via javascript, simply blocking cookies from 3rd party sites hasn't been sufficient to protect users from such deliberate abuses for many years now. Then there are the increasingly more common zero-day exploits that are installed via other vulnerabilities in a web-server that no amount of "regular updates" will protect users from.
There is a reason NoScript is the #2 most popular firefox plugin with over 54 million downloads - that reason is because javascript is a huge vulnerability, people know it and are trying to do something about it.
When information is power, privacy is freedom.