Reddit Nixes 'Comment Bug' Attack

Reddit wasn't consistently filtering out JavaScript when a user moused over a link, creating an opening for a security vulnerability.
Posted September 29, 2009

Kenneth Corbin

Social news service Reddit is in the process of recovering from a worm that pummeled the site with malicious comments.

The cross-site scripting (XSS) worm emanated from the account of a user with the handle "xssfinder," who discovered that Reddit wasn't consistently filtering out JavaScript when a user moused over a link.

Xssfinder developed a malicious script, and tested it out by posting a link to a popular story, "Guy on a bike in New York 'high fives' people hailing cabs," according to analysts at the security firm F-Secure.

"After this, things happened quickly," they wrote in a blog post explaining the attack.

The "proof-of-concept" scripts xssfinder posted snowballed into a torrent of comments to various Reddit threads emanating from users who read the original comment.

In a thread in Reddit's programming forum, a user explained the experience.

"I went to this submission link ... and all of a sudden every comments reply window was spamming ... and submitting. I pressed escape as fast as I could and backed out of the page. I went to my overview and it had already submitted 30 replies."

In response, Reddit's administrators closed xssfinder's account, and have begun the process of deleting the massive number of malicious comments propagated by the worm.

F-Secure said that Reddit's site never went down during the worm attack.

The attack on Reddit is only the latest instance of hackers exploiting vulnerabilities in popular social media applications. In April, for instance, the white-hot microblogging service Twitter was hit with several variations of another XSS attack. The self-replicating string of code flooded the community with thousands of spam tweets by infiltrating the accounts of unsuspecting users, though Twitter officials said that no personal information had been compromised.

Facebook has encountered its own share of security threats. Taken in sum, the continued barrage of exploits against the sites has given some enterprise IT managers pause before welcoming social media applications behind the firewall.

A spokeswoman for Reddit did not immediately respond to a request for comment on today's worm.

Article courtesy of

Tags: Facebook, security, programming, worm, Reddit

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.