NEWS FROM THE LAB - Monday, September 28, 2009

XSS Worm on Reddit.com Posted by Mikko @ 11:12 GMT

Reddit (reddit.com) is a social news website, and it's much better than Digg or Slashdot.

However, it got hit today by a XSS worm that was spreading via comments on the site.


It all started with a user called, suitably enough, xssfinder.

His account has already been deleted.


This user posted some test comments exploiting the fact that Reddit wasn't filtering out JavaScript in certain instances when you were hovering your mouse over text.


When xssfinder got his script working, he tested it by posting one comment to a popular link called "Guy on a bike in New York 'high fives' people hailing cabs".

After this, things happened quickly.

People reading comments ended up sending massive amounts of new comments to Reddit threads.

Right now things have calmed down. Reddit was never down, and Reddit administrators have closed this vulnerability. Malicious comments are being mass deleted right now.