Reddit hit by XSS worm

By  

Social news site Reddit has fallen victim to a cross-site scripting (XSS) worm that spread via comments.

According to a post today on an F-Secure blog, aptly named user `xssfinder’ recently posted some test comments saying that Reddit doesn’t filter out JavaScript in certain instances.

Xssfinder developed a script to take advantage of the vulnerability and posted it as a comment to a link called "Guy on a bike in New York 'high fives' people hailing cabs."

When other users hover over the link embedded in the comment, they would winnd up automatically posting “massive amounts” of new comments to Reddit threads, courtesy of the worm, according to the post.

F-Secure says the site never went down, and Reddit administrators have fixed the vulnerability and are busy deleting the auto-generated comments.

According to a Reddit post (http://www.reddit.com/r/reddit.com/comments/9oopj/heres_what_happened_tonight_with_the_javascript/), xssfinder didn't mean to wreak such havoc, and didn't realize how much damage was being done until it was too late. Reddit confirms that the worm was disabled, but suggests users disable JavaScript in their browsers just in case.

Do you tweet? Follow me on Twitter here.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness