

Reddit XSS worm (Don't mouseover Reddit comments and use FF+Noscript) - est
http://www.reddit.com/r/self/comments/9oo78/anyone_else_click_on_the_comments_to_a_story_and/
Infected page:<p>http://www.reddit.com/r/self/comments/9oo78/<p>Discussion on proggit:<p>http://www.reddit.com/r/programming/comments/9oo8j/source_code_for_the_redditfirefox_exploit/
======
Herring
<http://img503.imageshack.us/img503/9640/1254105520402.jpg>

Mousing over the comment causes you to submit one like it. According to 4chan,
someone in proggit found the exploit at around 22:30. --
<http://zip.4chan.org/g/res/5994620.html>

~~~
erlanger
Yep, an early comment in the submission with the pics of O'Reilly's
"JavaScript: The Definitive Reference" and "JavaScript: The Good Parts" had
the exploit, I didn't pay much attention, thought it was just someone screwing
around with a JS snippet. Sounds like someone ran with the idea.

Hate to say it, but disabling JavaScript's the best workaround. Right now the
infected comments are too prevalent to reliably avoid.

~~~
nostrademons
I just keep my mouse in the right column, over the ads. Seems to work so far.

------
ashleyw
It really wasn't a good idea to link to a page _full of the 'infected'
comments_...

~~~
albertsun
Nothing seems to be happening to me. Do you have to be logged in to be
affected by the attack?

~~~
ashleyw
Yeah, and you need to hover over one of the comments for it to work, too.

------
forsaken
Anyone know what this is a problem from? I've heard it's a Python Markdown
vulnerability, or is it just in reddit' implementation of something?

~~~
est
[http://www.reddit.com/r/programming/comments/9oo8j/source_co...](http://www.reddit.com/r/programming/comments/9oo8j/source_code_for_the_redditfirefox_exploit/)

comment this line in markdown.py

[http://code.reddit.com/browser/r2/r2/lib/contrib/markdown.py...](http://code.reddit.com/browser/r2/r2/lib/contrib/markdown.py#L291)

------
CrazedGeek
There was something similar going on earlier with a bookmarklet-style virus on
proggit:
[http://www.reddit.com/r/programming/comments/9okv7/ok_whoeve...](http://www.reddit.com/r/programming/comments/9okv7/ok_whoever_js_bombed_the_javascript_picture/)
(note that this link also has the XSS worm in it, take caution)

Today is not a good day in redditland.

------
tvon
This guy suggests some firebug code to run to delete all your comments from a
page (in case you were hit by the hack):

[http://www.reddit.com/r/netsec/comments/9ooif/has_someone_cr...](http://www.reddit.com/r/netsec/comments/9ooif/has_someone_created_a_reddit_worm/c0dpwrv)

I have not tested it myself.

------
eli
It's not actually a XSS problem

~~~
est
Yeah, it's not exactly cross-site, but cosider XSS as a paradigm shift

<http://en.wikipedia.org/wiki/Cross-site_scripting#Background>

------
qeorge
IE8 isn't vulnerable, if you want to check it out safely.

~~~
TeHCrAzY
Is that with the XSS protection (the built in functionality) on or off?

