Reddit hit by XSS worm

Social news site Reddit has fallen victim to a cross-site scripting (XSS) worm that spread via comments.

According to a post today on an F-Secure blog, aptly named user `xssfinder’ recently posted some test comments saying that Reddit doesn’t filter out JavaScript in certain instances.

Xssfinder developed a script to take advantage of the vulnerability and posted it as a comment to a link called "Guy on a bike in New York 'high fives' people hailing cabs."

When other users hover over the link embedded in the comment, they would winnd up automatically posting “massive amounts” of new comments to Reddit threads, courtesy of the worm, according to the post.

F-Secure says the site never went down, and Reddit administrators have fixed the vulnerability and are busy deleting the auto-generated comments.

According to a Reddit post (http://www.reddit.com/r/reddit.com/comments/9oopj/heres_what_happened_tonight_with_the_javascript/), xssfinder didn't mean to wreak such havoc, and didn't realize how much damage was being done until it was too late. Reddit confirms that the worm was disabled, but suggests users disable JavaScript in their browsers just in case.

Do you tweet? Follow me on Twitter here.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies