Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Reddit XSS worm (Don't mouseover Reddit comments and use FF+Noscript) (reddit.com)
31 points by est on Sept 28, 2009 | hide | past | favorite | 16 comments


http://img503.imageshack.us/img503/9640/1254105520402.jpg

Mousing over the comment causes you to submit one like it. According to 4chan, someone in proggit found the exploit at around 22:30. -- http://zip.4chan.org/g/res/5994620.html


Yep, an early comment in the submission with the pics of O'Reilly's "JavaScript: The Definitive Reference" and "JavaScript: The Good Parts" had the exploit, I didn't pay much attention, thought it was just someone screwing around with a JS snippet. Sounds like someone ran with the idea.

Hate to say it, but disabling JavaScript's the best workaround. Right now the infected comments are too prevalent to reliably avoid.


I just keep my mouse in the right column, over the ads. Seems to work so far.


It really wasn't a good idea to link to a page full of the 'infected' comments...


Nothing seems to be happening to me. Do you have to be logged in to be affected by the attack?


Yeah, and you need to hover over one of the comments for it to work, too.


Anyone know what this is a problem from? I've heard it's a Python Markdown vulnerability, or is it just in reddit' implementation of something?


http://www.reddit.com/r/programming/comments/9oo8j/source_co...

comment this line in markdown.py

http://code.reddit.com/browser/r2/r2/lib/contrib/markdown.py...


Apparently this is where it started:

http://www.reddit.com/r/reddit.com/comments/9oopj/heres_what...


Allegedly it's a problem with reddit's Markdown implementation. It's also worth noting that reddit does not use the standard Python Markdown implementation, but has its own.


There was something similar going on earlier with a bookmarklet-style virus on proggit: http://www.reddit.com/r/programming/comments/9okv7/ok_whoeve... (note that this link also has the XSS worm in it, take caution)

Today is not a good day in redditland.


This guy suggests some firebug code to run to delete all your comments from a page (in case you were hit by the hack):

http://www.reddit.com/r/netsec/comments/9ooif/has_someone_cr...

I have not tested it myself.


It's not actually a XSS problem


Yeah, it's not exactly cross-site, but cosider XSS as a paradigm shift

http://en.wikipedia.org/wiki/Cross-site_scripting#Background


IE8 isn't vulnerable, if you want to check it out safely.


Is that with the XSS protection (the built in functionality) on or off?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: