September 28, 2009, 8:05 AM — Social news site Reddit has fallen victim to a cross-site scripting (XSS) worm that spread via comments.
Xssfinder developed a script to take advantage of the vulnerability and posted it as a comment to a link called "Guy on a bike in New York 'high fives' people hailing cabs."
When other users hover over the link embedded in the comment, they would winnd up automatically posting “massive amounts” of new comments to Reddit threads, courtesy of the worm, according to the post.
F-Secure says the site never went down, and Reddit administrators have fixed the vulnerability and are busy deleting the auto-generated comments.
Do you tweet? Follow me on Twitter here.