Reddit Javascript Exploit Spreading Virally 239
Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."
Re:proof of concept (Score:4, Informative)
Re:Is this good news or bad? (Score:2, Informative)
Slashdot doesn't require Javascript. If it's turned off, you get sent to the classic POST form of yesteryear.
Already fixed. (Score:3, Informative)
KeyserSosa Thanks for this (and thanks aedes ). I'm going to steal his idea and post here as well. We've fixed a couple of underlying bugs in markdown.py, and will write a blog post for those interested once the dust settles. We've also gone through and deleted the offending comments. This exploit was a good old-fashioned worm, and its only purpose seems to have been to spread (and spread it did). The effect was limited to the site, and no user information was compromised.
So obviously this is no longer spreading.
Re:NoScript (Score:1, Informative)
You seem to have misunderstood what is going on. There isn't really a 'viral problem' in the browser, there is (was) a comment that would cause your browser to spam the server with copies of itself. So the problem is described as viral because it spreads to new users as they hover over an infected comment, but the problem is pretty well localized to reddit.com, and browser security is in no way compromised.
ironic javascript fail (Score:1, Informative)
Incidentally, I went to mod this and it failed... multiple times.
Though it eventually worked, I am not impressed.
It seems that Slashdot is so horribly broken and inconsistent as to be immune to such exploits.
Re:Well, that site has a terrible design (Score:4, Informative)
Mod parent down (Score:3, Informative)
Re:Is this good news or bad? (Score:3, Informative)
Re:Is this good news or bad? (Score:3, Informative)
Section 501 only applies to government websites, and really, it should apply to crappy screen readers that can't handle javascript.
Re:Is this good news or bad? (Score:4, Informative)
Filtering user input properly would have stopped this though. It is not an attack which relies on a flaw specific to javascript - the flaw is a very general one - using untrusted user input without aggressive filtering.
Re:Mod parent down (Score:2, Informative)
Re:Is this good news or bad? (Score:3, Informative)
I think you're talking about Section 508 of the American with Disabilities Act. And yes, it can apply to more than US Government web sites. Target found that out the hard way after refusing to provide alt tags and other accessible changes to their web site. After getting slammed with a $6 million judgement, no one else is bothering to refute what has become established case law.
I might also add that Section 508 covers much more than screen readers and javascript.