The well-known social news website Reddit got hit from a very effective XSS (cross site scripting) attack on Sunday, September 27th.
The attack was rested on the fact that Reddit was not filtering out JavaScript in specific instances while a user was moving the mouse over the text field of the comments. Furthermore, a user named “Empirical” made a piece of JavaScript code that its effect was to automatically reply to all comments of a Reddit page, if it was pasted into the browser address bar, as a Reddit thread reports. As a result, another user named “xssfinder” combined these two facts in order to create an XSS attack by exploiting this vulnerability.
Particularly, xssfinder posted a comment that was a link to malicious code on a popular thread called “Guy on a bike in New York ‘high fives’ people hailing cabs”. After that, things happened quickly. When a user tried to read this comment, or to post a reply to it, he or she was resulted in sending a vast number of spam comments onto other Reddit threads.
According to F-Secure, Reddit administrators claim that all the holes that could lead to this type of attack have already been closed. Moreover, all the comments that were produced from this malicious code have been removed.
Besides, it is very common the fact that when a new XSS attack is created, a new wave of different variations follows in a short period of time. So, a solution to prevent such kind of attacks maybe is to turn off JavaScript, when someone try to access Reddit, using for example the NoScript extension of Firefox.
References: The Register, F-Secure, The H Security
Tags: attack, javascript, reddit, xss
