Reddit XSS Demonstrates a Problem That Won't Go Away
Even after all the years of awareness, Cross Site Scripting (XSS) is still a problem that can bring major sites to their knees and can lead to much worse results for a site's end users when it is used in a blended attack to obtain authentication credentials, spoof legitimate content, or some other form of data theft or misrepresentation. Recently the aggregator site Reddit was victim of an XSS attack launched by its own users.
The initial XSS development may have been nothing more than a prank that required other Reddit readers to copy and paste it into the address bar, but this was enough to have others take the initial concept and expand on it, to the point that a proof of concept was then tested that was able to run from merely hovering over a link. At this point things took on a life of their own after the script was embedded in a comment in reply to a legitimate thread. Anybody who hovered over the embedded link then sent spam comments automatically to other threads on Reddit (including, reportedly, changing existing comments from the users).
While the unexpected attack was completely confined to Reddit, it was highly visible and spread extremely rapidly, surprising pretty much everyone as it did so. In some ways it is similar to the seminal Morris Worm, which also had a rapid spread and effects far beyond the reach of what the initial author expected.
XSS attacks and vulnerabilities are going to remain as long as there is an Internet. There are a number of solutions that exist to help people mitigate the risk from running JavaScript from potentially malicious sources, but each of those solutions is tied to a specific browser or browser family. The only really generic solution that protects against JavaScript based XSS (the most common form) is to disable JavaScript for online activities.
Not everyone is comfortable surfing the Internet with JavaScript disabled, the loss of functionality on many sites is generally enough to quickly send people to re-enable it. If that isn't enough, the layout and navigation inconsistencies that seem to plague many sites when JavaScript is disabled is.
When even trusted sites can be taken down by malicious JavaScript that is included via third party advertising, or, as in this case, by scripting that originates from the site itself, users are best advised to surf with caution, no matter where on the Internet they go.
1 October 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.