14 DAY TRIAL // Reddit was hit yesterday by an out of control XSS worm, which someone launched as a proof of concept. The website administrators moved swiftly to stop the attack and inform the public, thus earning the appreciation of the security community.
Reddit is a social news and social bookmarking website that allows users to post, vote and comment on links to arbitrary content from the Internet. The platform is developed in Python and since June 2008, its code is freely available as an open source project.
The XSS worm was released on Reddit on Sunday night and continued to spread during early Monday morning. The attack was blocked by 10:34 am on Monday and the administration announced that "We had a bug in reddit that allowed someone to start a comment bomb."
The worm exploited two different bugs discovered independently by two users going by the online handle of Empirical and Tolkad. The first allowed creating a malformed link, that when visited allowed the execution of JavaScript code forcing a logged in user to post replies to all comments on a page. "The first bug wasn't really a bug, but a feature of markdown that we hadn't removed. This feature allowed one to specify a variable for replacement later on," Jeremy Edberg, senior product developer at Reddit, explained.
The second issue was a programming logic weakness that allowed inserting arbitrary JavaScript code in a comment, which would be triggered by a mouse over event. As Mr. Edberg explains, this was an input sanitizing issue. "To prevent double escaping of certain characters, they are run through MD5 after being escaped once, and then the MD5 is undone at the end. Since the MD5 is the same every time, someone figured out that if you just put the MD5 into your comment, it would be unescaped at the end."
Tolkad devised a proof of concept worm whose code exploited both bugs to propagate once it was launched, but he did not expect the attack to take off so quickly. After squashing the worm, cleaning the rogue comments and patching the security holes, Reddit noted that the attacker apologized for the incident and promised to follow responsible disclosure practices in the future.
Security experts commended the website admins and moderators for their prompt response and openness. "This is a beautiful example on how a company can and should respond to this type of incident," Chester Wisniewski, senior security advisor at Sophos, said. "Reddit did the right thing in an expedient manner and deserves a pat on the back. Other social networking sites and link aggregators have not responded in nearly as responsible or timely a manner in the past, so my hat is off to you Reddit," he concluded.