Reddit succumbs then cleans up from XSS attack

Share this article:

Social news website Reddit has cleaned up from a nasty cross-site scripting (XSS) worm that spread Sunday night via the site's comments section.

The worm first was created when a Reddit user posted a malicious script as a comment to a widely read story on the site, Mikko Hypponen, chief research officer at anti-virus firm F-Secure, said in a blog post Monday. It quickly spread when users hovered their mouse over text in a comment, which invoked a command to send further comments to other Reddit threads.

"People reading comments ended up sending massive amounts of new comments to Reddit threads," Mikko Hypponen, chief research officer at anti-virus firm F-Secure, said in a blog post Monday. "Right now, things have calmed down. Reddit was never down, and Reddit administrators have closed this vulnerability. Malicious comments are being mass deleted right now."

Jeremy Edberg, senior product developer at Reddit, explained that the worm's author actually took advantage of two bugs that enabled him to perpetrate the infection. One of the flaws could be exploited by placing an MD5 hash function at the end of every comment.

Edberg blamed the outbreak on the site's failure to sanitize certain output data.

"As a matter of fact, these bugs were only exploitable because we are open-source," Edberg wrote on the official Reddit blog. "We cannot hide behind security through obscurity, and we like it that way. We also rely on our users reporting security bugs in a responsible manager. We have spoken to the worm author, and he has apologized for his actions and admitted that [what] he did was irresponsible. He has promised that he will follow the path of responsible disclosure in the future."

Reddit is just the latest social networking site to fall victim to a XSS attack. Twitter experienced a similar incident in April.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.