Reddit Javascript Exploit Spreading Virally

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

Re:NoScript

[CKW]

I love how *their* mistake causes viral problems in YOUR browser. All one needs is some sort of cross site vulnerability now and ...

Reddit Hacks

[jDeepbeep]

This is nothing new. There is a quiet tradition of Reddit users finding the weak points of the site, like this for example.

Putting javascript:$(".up").click()() in the address bar upvotes everything on the page.

Re:Is this good news or bad?

[SanityInAnarchy]

Hi there - you must have just popped in from some alternate universe

Yep. It's called Google Chrome -- or, more accurately, the Chromium nightly. Javascript executes quickly, and I don't have to wait for an entire separate page to load. Additionally, if I have to wait, the "submit" button has a countdown timer.

And regardless of speed, it is convenient to have that much more context on the page. For example, right now, I can see your post and mine, and I can expand the parents if I need to. If I was replying from the main discussion, I could scroll up to see the whole discussion. Yes, I know about tabs, but even switching with keyboard shortcuts isn't as nice as being able to actually see a few posts of context as I type.

In this universe, the speed with javascript is noticeably slower - in many cases it's so slow as to be unusable.

Which browser?