Reddit succumbs then cleans up from XSS attack

Social news website Reddit has cleaned up from a nasty cross-site scripting (XSS) worm that spread Sunday night via the site's comments section.

The worm first was created when a Reddit user posted a malicious script as a comment to a widely read story on the site, Mikko Hypponen, chief research officer at anti-virus firm F-Secure, said in a blog post Monday. It quickly spread when users hovered their mouse over text in a comment, which invoked a command to send further comments to other Reddit threads.

"People reading comments ended up sending massive amounts of new comments to Reddit threads," Mikko Hypponen, chief research officer at anti-virus firm F-Secure, said in a blog post Monday. "Right now, things have calmed down. Reddit was never down, and Reddit administrators have closed this vulnerability. Malicious comments are being mass deleted right now."

Jeremy Edberg, senior product developer at Reddit, explained that the worm's author actually took advantage of two bugs that enabled him to perpetrate the infection. One of the flaws could be exploited by placing an MD5 hash function at the end of every comment.

Edberg blamed the outbreak on the site's failure to sanitize certain output data.

"As a matter of fact, these bugs were only exploitable because we are open-source," Edberg wrote on the official Reddit blog. "We cannot hide behind security through obscurity, and we like it that way. We also rely on our users reporting security bugs in a responsible manager. We have spoken to the worm author, and he has apologized for his actions and admitted that [what] he did was irresponsible. He has promised that he will follow the path of responsible disclosure in the future."

Reddit is just the latest social networking site to fall victim to a XSS attack. Twitter experienced a similar incident in April.