Evsion Lab

Update: Looks like the malicious code on the comments is now being replaced with “i am a terrible person”. But it is still possible to submit malformed URLs, and it remains to be seen whether the exploit is completely fixed.

Digg this story if you want to read the comments of gloating Diggers- Digg does not allow any markup(or markdown) in its comments, so there is no risk of such an exploit:

reddit, one of the most popular social news sites, has just been hacked with a pretty bad exploit. As a story making its way up reddit’s front page demonstrates, reddit’s programmers have made a major mistake in designing the site- they did not validate input in any text boxes on the site. From a security standpoint, this is a massive flaw.

Because reddit does not validate input and strip out potentially malicious code, anyone can enter a script that, using XSS, can steal your login and password for reddit or execute malicious code. As far as exploits go, this one is extremely serious. A similar exploit on MySpace wrought havoc with the site. It remains to be seen how quickly reddit responds to the threat. As of right now, the exploit is still working. So far, redditors are just playing around with the exploit, but it is only a matter of time before someone writes a malicious script that will start hijacking reddit accounts, perhaps using them to upvote stories for their own benefit.

An interesting twist in the plot: The creator of reddit found the same exact exploit months ago on YCombinator News, which is based on reddit code. Although it was “fixed fairly quickly” at Y Combinator, apparently the same exploit remained unchecked on reddit itself. [ Via Neomeme ]

Popularity: 7% [?]

Share This