Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reddit Javascript Exploit Spreading Virally

Posted by CmdrTaco on from the hate-when-that-happens dept.

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

5 of 239 comments (clear)

  1. Re:Is this good news or bad? by pla · · Score: 5, Insightful

    it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

    *cough*Slashdot*cough*

  2. Re:Is this good news or bad? by Anonymous Coward · · Score: 5, Insightful

    No, it won't. The other 6 million javascript exploits didn't do that. What makes you think this one will?

  3. Re:Is this good news or bad? by SanityInAnarchy · · Score: 5, Insightful

    Just as exploits in the image processing components of web browsers will hopefully educate people to surf in Lynx? Or exploits in their HTML rendering will hopefully educate people to surf by piping wget through less?

    This was not because of Javascript, nor is Javascript going away because of this.

    --
    Don't thank God, thank a doctor!
  4. A Good Idea by CopaceticOpus · · Score: 5, Insightful

    Hey, everyone, there is a javascript exploit on Reddit! Click on these links to Reddit to learn more.

    Incidentally, this old sock smells awful. You should smell it.

  5. Re:Is this good news or bad? by Anonymous Coward · · Score: 5, Insightful

    As a web developer, I beg to differ. There is absolutely no excuse for writing a page that doesn't 'fail gracefully' when javascript isn't present. Let's face it, for every reputable page out there (att.net, youtube.com, etc) there are a hundred others designed by average joe-schmo webprogrammers. And lord only knows if they designed their page securely, and lord only knows if someone has hacked them and injected malicious scripts. I seem to recall hearing a few weeks ago that the majority of malicious scripts were being put into hollywood celebrity gossip sites that people were hitting off their google searches.

    For me, the solution is to just whitelist the sites I visit frequently, only allowing scripts/cookies when I know they can be trusted. I'm not saying that you shouldn't design without javascript, but I am saying that you shouldn't assume that everyone visiting your page is going to have it. Besides, how hard is it to write a page that vomits up its contents in a readable form when the javascript doesn't run to position all the css objects? It doesn't have to look pretty, but it should be usable.