Reddit Attacked By Comment Spam Comment Bomb

by Truemorist | September 28, 2009 at 08:33 am

205 views | 0 Recommendations | 0 comments

Reddit got attacked by rogue h4x0rz who found a way to insert comment bombs. The malefactors have found a way to turn you into a comment spammer against your will! Basically, mousing over a comment would execute a nugget of Javascript that makes you automatically respond to every comment on the page. Like when people turn into agents in The Matrix. The exploit doesn't attack a user's computer, but pwned their Reddit account; it's not a virus, but a worm, and the vunerability has since been fixed.

Reddit was offline for awhile yesterday , but now it's back.

The attacker appears to have figured out how to insert javascript into Reddit comments: thus, hovering over such a comment is all it takes to spread the exploit. We’re not aware of anything being downloaded to your machine at this point: only a XSS attack that posts the troublesome comments in your name.

there is a bug in how reddit handles markdown syntax (the language you use to do specialized punctuation, links, etc in comments), such that pieces of javascript embedded in a comment can be executed. This was pointed out by a redditor earlier today in the programming /r.