1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Reddit Attacked By Javascript Comment Bomb

Discussion in 'BlackHat Lounge' started by TapTapper, Sep 28, 2009.

  1. TapTapper

    TapTapper Junior Member

    Joined:
    Apr 15, 2009
    Messages:
    163
    Likes Received:
    138
    Occupation:
    coder, webstore mangler
    Location:
    US
    Home Page:
    Reddit fans beware: a very effective XSS (cross site scripting) attack is currently live on the site: even hovering over a comment will cause your account to post scores of rogue comments. Turning off javascript before visiting may prevent the attack, or you may simply wish to avoid Reddit until the attack is brought under control.The attacker appears to have figured out how to insert javascript into Reddit comments: thus, hovering over such a comment is all it takes to spread the exploit. We?re not aware of anything being downloaded to your machine at this point: only a XSS attack that posts the troublesome comments in your name.
    At the time of writing, Reddit is offline.
    Update: contrary to the first version of this post, it appears your old comments are not overwritten: the attack only spawns new ones. We?ll update as we learn more.


    Code:
    http://mashable.com/2009/09/27/reddit-attack/