XSS Hole in Reddit Allows Gaping Access: Proof of Concept

Fixed by Reddit. So, a few months back Digg added a new feature that allowed users to invite and add friends more easily. Unfortunately, as I reported then, this hole allowed a site to automatically add friends if the visitor was still logged into Digg. This story did quite well in Reddit, often considered rivals, actually out performing the story on Digg which was, unsurprisingly, quickly buried. Nevertheless, an XSS hole in the handling of non-existing 404 pages has created a gaping hole which can allow a site to perform almost any site function we would want. To be fair to Reddit, I figured the Proof of Concept should mimic the same one as I did for Digg, an auto friend adder. If you are reading this page and are logged into Reddit, assuming the hole has not...