Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reddit Javascript Exploit Spreading Virally

Posted by CmdrTaco on from the hate-when-that-happens dept.

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

8 of 239 comments (clear)

  1. Re:NoScript by CKW · · Score: 3, Interesting

    I love how *their* mistake causes viral problems in YOUR browser. All one needs is some sort of cross site vulnerability now and ...

  2. Reddit Hacks by jDeepbeep · · Score: 3, Interesting

    This is nothing new. There is a quiet tradition of Reddit users finding the weak points of the site, like this for example.

    Putting javascript:$(".up").click()() in the address bar upvotes everything on the page.

    --
    Reply to That ||
  3. Myspace by RalphSleigh · · Score: 2, Interesting

    Reminds me of a very similar worm that hit myspace years ago:

    http://web.archive.org/web/20060208182348/namb.la/popular/tech.html

    Same thing, find a way of executing javascript and then have it self-replicate by posting itself all over the site.

    --
    Come as you are, do what you must, be who you will.
  4. Re:Is this good news or bad? by SanityInAnarchy · · Score: 3, Interesting

    Hi there - you must have just popped in from some alternate universe

    Yep. It's called Google Chrome -- or, more accurately, the Chromium nightly. Javascript executes quickly, and I don't have to wait for an entire separate page to load. Additionally, if I have to wait, the "submit" button has a countdown timer.

    And regardless of speed, it is convenient to have that much more context on the page. For example, right now, I can see your post and mine, and I can expand the parents if I need to. If I was replying from the main discussion, I could scroll up to see the whole discussion. Yes, I know about tabs, but even switching with keyboard shortcuts isn't as nice as being able to actually see a few posts of context as I type.

    In this universe, the speed with javascript is noticeably slower - in many cases it's so slow as to be unusable.

    Which browser?

    --
    Don't thank God, thank a doctor!
  5. Re:Is this good news or bad? by lwsimon · · Score: 2, Interesting

    Amen. I've gotten into the habit of structuring the document, outputting the data into readable form, then using CSS and JS to make it look and behave how I want it to.

    There are some pages where "no access without javascript" is acceptable - but they are few and far between. For the most part, you should be able to use Lynx and view the content.

    --
    Learn about Photography Basics.
  6. Re:Is this good news or bad? by horza · · Score: 2, Interesting

    Absolutely right for your personal homepage. A professional web designer would not be able to get away with this. This kind of laziness translations directly into additional support costs for the client. And each time Microsoft recommends turning off Javascript due to a 0-day exploit you are cutting off more than 1%.

    I can't think of any cases where it is ok to not fail gracefully. I hope you are not talking about just using client side validation, one of the most used cases for Javascript but where you must always fail over to doing server side also. Can you give an example?

    Phillip.

    --
    Property for sale in Nice, France
  7. Re:Mod parent down by Firehed · · Score: 2, Interesting

    Tools like that aren't foolproof, especially since browsers go out of their way to attempt to parse malformed input (unless you're serving content as application/xml, in which case the browser will just show an ugly parse error). I can't speak about that tool not having used it, but all it takes is one hacker finding yet another way to create a broken script tag that a browser will still run that they don't yet know about and all your efforts are for nothing.

    I think the parent's suggestion of BBCode is safer overall, but the safest solution is to not allow users to format content at all.

    --
    How are sites slashdotted when nobody reads TFAs?
  8. Re:html tag to disable active content by BikeHelmet · · Score: 2, Interesting

    There is not a single brake pedal! And worse, the W3C or MS or Mozilla or whoever could introduce a new gas pedal, and you the website operator have to filter out the new gas pedal when it's introduced.

    Undid my mods, but I had to post this.

    There used to be a break pedal. I think it was Firefox 1.5 where this code didn't evaluate any tags:

    element.append(document.createTextNode(sText));

    The solution, therefore, was to manually parse italic/bold/a tags, to append those elements - and then create a text node inside. A perfect working DHTML/DOM solution, properly sanitized!

    However, with Firefox 3, text nodes now evaluate HTML tags. This handy function went out with eval usage for local callbacks. :/ Opera and Chrome also evaluate some(all?) tags for appended text.