Reddit hacked
Update: Looks like the malicious code on the comments is now being replaced with “i am a terrible person”. But it is still possible to submit malformed URLs, and it remains to be seen whether the exploit is completely fixed.
Digg this story if you want to read the comments of gloating Diggers- Digg does not allow any markup(or markdown) in its comments, so there is no risk of such an exploit.
reddit, one of the most popular social news sites, has just been hacked with a pretty bad exploit. As a story making its way up reddit’s front page demonstrates, reddit’s programmers have made a major mistake in designing the site- they did not validate input in any text boxes on the site. From a security standpoint, this is a massive flaw.
Because reddit does not validate input and strip out potentially malicious code, anyone can enter a script that, using XSS, can steal your login and password for reddit or execute malicious code. As far as exploits go, this one is extremely serious. A similar exploit on MySpace wrought havoc with the site. It remains to be seen how quickly reddit responds to the threat. As of right now, the exploit is still working. So far, redditors are just playing around with the exploit, but it is only a matter of time before someone writes a malicious script that will start hijacking reddit accounts, perhaps using them to upvote stories for their own benefit.
An interesting twist in the plot: The creator of reddit found the same exact exploit months ago on YCombinator News, which is based on reddit code a site similar to reddit. Although it was “fixed fairly quickly” at Y Combinator, apparently the same exploit remained unchecked on reddit itself.
Other sites should be learning a lot from this episode. It is as gross as wireless camera spying. Social media sites should come up with better website design and more security protocol. Especially sites offering email hosting should beware of such calamity. The web-developers should consult proper web design studio to remove such hazardous discrepancies. In fact, users who use skype phone or often make use of ppc affiliate program need to be more careful regarding their credit card information, since the virtual parallel universe out there is not that trustworthy. They need to use a dedicated web server to protect their private information.
Related Posts:
The Digg vs. Reddit Experiment Deconstructed
This Might Make Me Want to Get an iPhone
News? There Are No News.
The Politics of MySpace
Meme: What’s Your Web 2.0?
good sec over on reddit!
YC News isn’t based on reddit code.
The issue was only present in the comment section, and only if you used markdown to make the link, not “in any text boxes on the site.”
You’re just making stuff up.
Who would not validate input in any text boxes?
And who wouldn’t fix it on reddit after coming up on Y Combinator?
Wow this is pretty bad. It’s one thing if a startup makes this kind of mistake but another now that they’ve been acquired.
Does Reddit censor users like Digg does, and is the average demographic of a Redditor 16 years old and male?
JM: I love reddit, I really do. But allowing such a major XSS flaw for months is hardly commendable.
mark is right. they aren’t even written in the same language.
Reddit is having a bad day. I just wrote an article showing how easily companies were gaming the system there to block out competitors.
Ilya,
I must agree with Marc above, you’re not being fair to the case. This is pure sensationalism. The way you present the story screams “digg me”.
…which works for people who won’t read the source, not surprisingly. But is it worth it?
Josh: This story was not written specifically with Digg bait in mind.
Can you identify specifically where the sensationalism is? Where am I being unfair?
Regardless of the programming language reddit and YCNews are written in, the fact remains that a major , and dangerous exploit has been found in reddit, and a very similar exploit(improper/incomplete input validation) was found in Y Combinator News months ago. The exploit has since been fixed, but it has been present in reddit for quite a long time.
People were posting links which displayed a user’s cookie, which contained logic credentials- those logic credentials could have easily been hijacked by a malicious script.
oh.. reddit seriously needs some security upgrade. this is not the 1st time
Well, there are CSRF flaws on digg.com. Not much better.
[…] read more | digg story […]
a bad hair day…
god i hate when this happens as a webmaster.
I pray for them
Time to check out an alternative to reddit:
http://www.vybr.com
submit your stories or links :-))
[…] it was a simple as them not validating any input on their posts/comments as reported here. This is a similar technique used back when MySpace incurred a similar fate (Sammy will always be […]
[…] slightly overhyped piece of news about Reddit being “hacked” is being discussed this weekend. As it turns out, the hack […]
[…] slightly overhyped piece of news about Reddit being “hacked” is being discussed this weekend. As it turns out, the hack […]
I don’t use the service. But it is bad that there is always someone that knows better!
Cool
great Blog 
wishes,
samiha esha.
http://amazon707.wordpress.com
[…] has been a lot of talk recently about XSS since it was revealed that reddit has a serious XSS vulnerability. But just how serious can it be to let a user inject Javascript into a page? It is […]
I’ve wrote a post on why this kind of vunerability is very serious and the ways it might be used. You can read it at: http://foobr.co.uk/2007/05/javascript_is_for_hackers/
hardly impartial…this is obviously a biased post from a digg fan. there’s a big difference between someone finding a fairly benign exploit, and reddit being “hacked.” if you want to talk about exploits, where’s your coverage of digg being overtly manipulated - both interenally & externally???
Damn Whitehats.
[…] Reddit, a very simple ratings site, has been hacked, and from what I hear, they deserved […]
[…] case you haven’t heard, someone found a security hole in Reddit’s programming - apparently the programmers forgot to validate input from text boxes. A bit oops. So far they have […]
Wow.
A hack like this can open doorways to many other malicious content. Interesting stuff.
[…] Reddit hacked Update: Looks like the malicious code on the comments is now being replaced with “i am a terrible person”. […] […]
I don’t use Reddit too.
Sounds like something is missing in this story, why would a site as big as reddit neglect such a basic security hole?
Validating input is basic fundamental of security, surprised to see, reddit still not blocking the hole, even temporarily…
We all make mistakes….
Well if your going to make a mistake I say do it on the front end this way people will have time to forget about it and you can be back on top in no time remember when that sports announcer guy took a bite out of his date. He’s back on top now. Sometimes you just have to bite the bullet when your staff screws up.
[…] Read | Permalink | Email this | Comments […]
[…] appears that the original post about reddit getting hacked was rather incorrect, and you could say I jumped the gun a bit with my […]
[…] May 30th, 2007 — Venture Skills Team With recent problems with Cross site scripting (XSS) at Reddit (though massivily over hyped) I thought it was a good time to discuss its use in SEO. Before we […]
[…] Reddit hacked - one would think (hope!) the folks at normally-quite-wonderful social bookmarking site Reddit would be a bit more savvy when it comes to security. […]
Hello. Look at http://socialposter.com/blog/social-bookmarks-submitter/ - this will be interesting to you, it is a program that lets you submit Links to social bookmarking websites automatically! Over 20 popular social bookmarking sites.
[…] Interestingly, reddit’s founder was aware of the exploit months ago, but neglected to fix it.read more | digg […]
[…] Interestingly, reddit’s founder was aware of the exploit months ago, but neglected to fix it.read more | digg […]
[…] read more | digg story […]
This is pretty bad situation. It’s one thing if a startup makes this kind of mistake but another now that they’ve been acquired.
[…] via neomeme.net […]
pre teen pageant gown
Ambien vs lunestra….
Ambien and hot flashes. Ambien prescriptions. Ambien coupon abate. Ambien next day delivery canada. Discount ambien. Buy ambien 10. Buy ambien without prescription….
I’m trying to use reddit, but it looks …not really good… My favorite is stumble…but reddit is better to look for news…
Wholesale adderall….
Dextroamphetamine adderall comparison. Buy wholesale adderall. Adderall xr. Adderall abuse. Adderall. Buy adderall no prescription….
Is lotensin a beta blocker….
Lotensin and advil. Lotensin. Lotensin hct. Lotensin and pregnancy….
Side effects of effexor xr….
Baby effexor. Effexor kidney failure. Effexor and xanax and hydrochlorot. Effexor. Effexor xr and diabetis. Effexor emotional dullness….
Jack…
Great post, very informative. Have learned a lot from your site….
“..they did not validate input in any text boxes on the site. From a security standpoint, this is a massive flaw”
Wow, that’s more than just a flaw, validating input is a must for even small sites, so how reddit got away with it for so long is a mystery.
You’d expect to see that kind of sloppy coding from a start-up, but for such a popular web service it’s a disaster.
[…] it was a simple as them not validating any input on their posts/comments as reported here. This is a similar technique used back when MySpace incurred a similar fate (Sammy will always be […]
Cocaine and codeine….
Buy codeine online….
[…] read more | digg story […]
just same across this
i love digg now and never really used reddit
So much hacking. It must be human nature to want to hack anything and everything