Friday, May 7, 2021

Reddit Nixes ‘Comment Bug’ Attack

Social news service Reddit is in the process of recovering from a worm that pummeled the site with malicious comments.

The cross-site scripting (XSS) worm emanated from the account of a user with the handle “xssfinder,” who discovered that Reddit wasn’t consistently filtering out JavaScript when a user moused over a link.

Xssfinder developed a malicious script, and tested it out by posting a link to a popular story, “Guy on a bike in New York ‘high fives’ people hailing cabs,” according to analysts at the security firm F-Secure.

“After this, things happened quickly,” they wrote in a blog post explaining the attack.

The “proof-of-concept” scripts xssfinder posted snowballed into a torrent of comments to various Reddit threads emanating from users who read the original comment.

In a thread in Reddit’s programming forum, a user explained the experience.

“I went to this submission link … and all of a sudden every comments reply window was spamming … and submitting. I pressed escape as fast as I could and backed out of the page. I went to my overview and it had already submitted 30 replies.”

In response, Reddit’s administrators closed xssfinder’s account, and have begun the process of deleting the massive number of malicious comments propagated by the worm.

F-Secure said that Reddit’s site never went down during the worm attack.

The attack on Reddit is only the latest instance of hackers exploiting vulnerabilities in popular social media applications. In April, for instance, the white-hot microblogging service Twitter was hit with several variations of another XSS attack. The self-replicating string of code flooded the community with thousands of spam tweets by infiltrating the accounts of unsuspecting users, though Twitter officials said that no personal information had been compromised.

Facebook has encountered its own share of security threats. Taken in sum, the continued barrage of exploits against the sites has given some enterprise IT managers pause before welcoming social media applications behind the firewall.

A spokeswoman for Reddit did not immediately respond to a request for comment on today’s worm.

Article courtesy of InternetNews.com.

Similar articles

Latest Articles

What is Raw Data?

By itself, raw data doesn’t look like much or mean much, but it has the potential to be processed for analysis.  Processed data comes from...

What is Data Analysis?

Everything measurable that has happened, is happening, and will happen in a business can be boiled down to data. But not all data is...

IBM Begins Cloud Confidentiality...

IBM has positioned its cloud offering against the unique security, compliance and confidentiality needs of specific vertical markets with a sharp focus on finance...

Top Big Data Certifications...

The term Big Data reflects a very real growing trend. By 2020, every human will be generating an astounding 1.7 MB per second. That...