PDA

View Full Version : don't visit reddit (for now)



Xbehave
September 28th, 2009, 04:07 AM
Reddit is under attack via a JS attack, if you mouse over the attacker text (in any browser) and allow javascript from reddit.com you will trigger it. Please don't visit while logged in (e.g use private browsing as that way you will not be able to post)

pwnst*r
September 28th, 2009, 04:46 AM
http://mashable.com/2009/09/27/reddit-attack/

lol, that's some ownage right there.

purgatori
September 28th, 2009, 04:48 AM
I can't imagine what would compel me to visit the site in the first place.

Xbehave
September 28th, 2009, 04:58 AM
http://mashable.com/2009/09/27/reddit-attack/

lol, that's some ownage right there.
Can somebody explain how its XSS (claimed in the link), it seams like all the code is run from reddit so its not cross site at all, hence why noscript is failing!

hessiess
September 28th, 2009, 08:26 AM
Can somebody explain how its XSS (claimed in the link), it seams like all the code is run from reddit so its not cross site at all, hence why noscript is failing!

Look up how cross site scripting works, one of the variants exploits incorrect invalidation of user input to get script stored in the sites DB, from which it is displayed on all pages that read that perticular DB record.