digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

reddit has been hacked

neomeme.net — Digg competitor reddit has just been hacked with a major XSS exploit. Interestingly, reddit's founder was aware of the exploit months ago, but neglected to fix it.

Bury
show profanity settings
expand all
  • digitallysick, on 10/11/2007, -148/+21haha@reddit digg pwns u
    • weeeeeeee, on 10/11/2007, -22/+177"reddit’s programmers have made a major mistake in designing the site"

      Just one look at reddit and it's pretty clear that a "design" was never a aspect of the site they put emphasis on. The whole bare-minimum amount of code to make the site usable really doesnt make this a surprise.
    • Wailord, on 10/11/2007, -8/+65I don't see anything...?
    • zweben, on 10/11/2007, -5/+36What does the hack actually do? I didn't see that mentioned anywhere.
    • Mephux, on 10/11/2007, -210/+16XSS = Cross-Site Scripting. Code Injection -- Please refer to Google.com for all stupid questions, that's what Googles here for; guess your parents used a weak algorithm.
    • AZTriGuy, on 10/11/2007, -6/+130 @Mephux

      Get off your high horse, bud. Not everyone here is a code-monkey, and while yes, it's easy to look things up on Google for most of us you don't have to resort to personal attacks to get your point across. So lighten up, Francis...
    • guitarh3ro, on 10/11/2007, -31/+1Sorry, I couldn't resist.
    • Sp0rAdiC, on 10/11/2007, -38/+9"Digg does not allow any markup(or markdown) in its comments, so there is no risk of such an exploit:"

      It doesn't? What are those thumbs?
    • Mephux, on 10/11/2007, -90/+9@AZTriGuy

      Well lets not turn this into a Human Rights Movement. I was simply making a point that he owns a computer and internet access, with a lot of resources at his finger tips.
    • Cwo655321, on 10/11/2007, -39/+11i am a terrible person
    • Ridikul, on 10/11/2007, -22/+9@cwo655321

      Good job stealing chromvita's comment below. You must really want attention.
    • natenovs, on 10/11/2007, -15/+9Mephux,

      its funny, you were so condescending, but still didn't say anything about what XSS is. you just repeated crap and acted all high and mighty about it.
    • AZTriGuy, on 10/11/2007, -3/+79@Mephux

      And Digg is one of the resources that he chooses to use. All he did was ask what this exploit in particular did, and this is a community of very knowledgeable people who are more than qualified as a group to answer that question. It just really irks me to see people being rude for no apparent reason other than someone asking a question. And I assume that it irks you to see someone ask a question you feel they could answer themselves with a little searching. This digg community just really seems to lash out at each other really easily rather than either helping or just biting their tongue. My own personal rule is that I never say something online in a post that I wouldn't be willing to say to someone's face if they were sitting right in front of me.
    • gamebittk, on 10/11/2007, -20/+3That little white dude with the beady eyes and the string hair is my bitch.
    • DubbedOver, on 10/11/2007, -0/+31@AZTriGuy

      Don't be too offended by him, your not the first person he has talked down to on digg. As a matter of fact, it seems that is the only way he knows how to communicate judging from his past posts. Some people are just angry, and the block button is not very far from their name.
    • tamrix, on 10/11/2007, -3/+9I dont see anything hacked. Looks quite normal..

      Im not really trusting the source of this "blog" either..
    • PathDaemon, on 10/11/2007, -0/+6@sp0radic
      Markup/markdown, AKA formatting tags to bold, italicize, add images, link text, etc.

      @zweben
      From TFA:
      “Because reddit does not validate input and strip out potentially malicious code, anyone can enter a script that, using XSS, can steal your login and password for reddit or execute malicious code.”
    • LiveFastDieOld, on 10/11/2007, -2/+31Reddit wasn't actually "hacked" at all, so feel free to Digg this down as inaccurate.

      What happened was that a user posted non-malicious code, exploiting an XSS vulnerability, into the "Submit" box — just to point out that the vulnerability was there.
    • IbnDigg, on 10/11/2007, -5/+19Don't you just love it when you get "kiddie googlers" like Mephux pretending to know what they are talking about.
    • DCJoeDogaswell, on 10/11/2007, -3/+8Give him a break, you just know he's been wanting to "Your parents use a weak algorithm" joke ever since the commercials came out. LOL
    • PAJK, on 10/11/2007, -3/+9Okay. Code contest. Someone write a patch within the Digg comments!
    • Niten, on 10/11/2007, -1/+17@livefastdieold: "Reddit wasn't actually "hacked" at all, so feel free to Digg this down as inaccurate."

      Due to reddit's failure to validate user input, somebody managed to execute arbitrary JavaScript in the site's context which, among other things, could easily have read users' cookies and possibly even usernames and passwords. Whether somebody actually decided to _get_ the login credentials seems irrelevant to me; they certainly could have if they'd wanted to.

      Things like this reinforce my decision to run Firefox's NoScript extension.

      @weeeeeeee: "Just one look at reddit and it's pretty clear that a "design" was never a aspect of the site they put emphasis on."

      Maybe, but don't get too cocky: they have comment threading, and we still don't...
    • randomgeek, on 10/11/2007, -11/+7"This digg community just really seems to lash out at each other really easily rather than either helping or just biting their tongue."


      Hello? Geeks? Socially inept? Duh?

      We know *****, and we know we know *****. No one told us the ***** we know, we went out and found our own *****. So if you want to know some *****, go look ***** up. Then, when you know *****, you can tell the noobs to stop asking ***** questions.

      *****.
    • gizmo490, on 10/11/2007, -0/+4@PathDaemon's @zweben and @zweben as well :)
      Even though the article says it gives the user to execute malicious code this is really almost a misnomer. The only domain the code could affect would be reddit's assuming you are using any browser with a somewhat reasonable security policy (firefox or IE4+ etc.) which is almost a requisite for most of the ajax transactions these sites use to work so the extent of the damage could be at worst someone getting your reddit info. Personally if some one took my digg info or reddit info I wouldn't give a *****.

      Except for losing their reddit info however an informed user is in as much danger from this xss vulnerability as they are from typing the wrong name into the navigation bar.

      Hopefully that info is a little helpful cause I didnt find that the article was that good for getting across the actual severity (or lack thereof) of the hack
    • felch, on 10/11/2007, -0/+1livefastdieold:

      Actually, that's pretty much the definition of a hack. Just because it wasn't malicious doesn't mean it's not a hack. In fact, some would argue that malicious hacking isn't hacking at all.
    • skyfire1, on 10/11/2007, -0/+3This is the punishment that the people who said they where leaving digg get.
    • digitallysick, on 10/11/2007, -4/+2wow i got dugg down 122 times because i think digg is better than reddit? wtf
    • ThreeDee912, on 10/11/2007, -2/+1@digitallysick

      The first comment always gets dugg up alot, or buried alot.
    • MedHead, on 10/11/2007, -0/+1I wish to add that I agree that one should always perform a search before asking a question on the Internet. I don't like laziness, and not doing a search on a system that is designed to spread information is definitely the mark of a lazy person.

      It's better to say "Do a search before asking ANY question", rather than just applying it to "stupid" questions.
  • PromaneX, on 10/11/2007, -22/+4Thats pretty bad that they left such a gaping hole in the security. Wonder if they will need to talke the site offline for a while to fix it?
  • weknowsnow, on 10/11/2007, -12/+4#phreak style. TNO '93
  • NGliam, on 10/11/2007, -16/+4I see no.. hacking.. at all :/
  • ChromaVita, on 10/11/2007, -7/+91I am a terrible person.
    • phatvolvo, on 10/11/2007, -2/+45
      alert('I am a terrible person');


      c'monnn...
  • QstorM427, on 10/11/2007, -7/+98Digg covert operation.
  • ncraig, on 10/11/2007, -40/+2digg ftw!
    • CBTF, on 10/11/2007, -9/+41Digg for more stories maybe, but for a decent discussion reddit wins. Your comment (along with the first one of the story as well) illustrates this.
  • ruslanr, on 10/11/2007, -6/+223why can't someone hack and delete myspace's user base?
    • praisethelard, on 06/06/2008, -15/+121Because there is no god :(
    • 2Deluxe, on 10/11/2007, -27/+8We don't want to make you cry, ruslanr ;)
    • VanD, on 10/11/2007, -8/+15YES PLEASE!
    • jackyyll, on 10/11/2007, -4/+28Because there userbase is fake, they use string theory to generate it dynamically! Goddamn emo strongs...
    • Ridikul, on 10/11/2007, -9/+1Yes and if you see xxEMILYxx then uh.. could you submit her e-mail to a few porn sites?
    • mishabear, on 10/11/2007, -4/+2All Your Userbase Are Belong to Us
    • titlesaysitall, on 10/11/2007, -2/+3Myspace is a modern day more contained Matrix.
  • blog4charity, on 10/11/2007, -19/+2digg has been hacked too!
  • Hindu_Wardrobe, on 10/11/2007, -11/+5Wasn't loading for a bit.
    F5 F5 F5... There it is!
    /me shrugs
  • eplawless, on 10/11/2007, -5/+13I remember doing that to Netscape a while back. This is just basic security stuff.
    One function (htmlspecialchars) and the flaw is fixed. :P
    Seriously it would take like 5 minutes.
    • l0ne, on 10/11/2007, -4/+5The problem is, a developer should never have to think about doing it! Forgetting it is so dangerous that the choice shouldn't be left in the hands of a dev -- at least it should be the *opposite*, something like echo raw(...);.

      In my little web framework, user-input strings are wrapped by objects. If I echo $x;, $x is automatically htmlspecialchars'd before being echoed. If I need raw HTML from user input, I have to extract a string buffer from the object first. I don't know if it's a good solution, but we'll see if it works shortly.
    • joshduck, on 10/11/2007, -1/+2@l0ne: Your idea sounds interesting. I tend to format all data before committing to the database, and then knowing/assuming that database code is safe. Of course you could have other processes inserting unsafe data, and new vulnerabilities could be discovered in already parsed data, which is a problem.

      You should take a look at http://htmlpurifier.org/ if you haven't already, it seems to be a fairly solid looking class. They use white lists and parse the HTML into an internal structure, rather than using regexes.
    • PradaPete, on 10/11/2007, -7/+0your little framework...LOL...it's a piece of dung
  • Codename, on 10/11/2007, -29/+2That's why good HTML coders are needed, a simple SQL Injection can cause all this, ah well, there will always be people who exploit stuff, just how the internet works. Good Luck, and hopefully you can fix it.
    • morninglorii, on 10/11/2007, -11/+6I don't understand how good HTML coders have any relevance to this... did you mean PHP coders or something?
    • 1ncontrol, on 10/11/2007, -7/+4In this case, Lisp coders, actually.
    • aaronm67, on 10/11/2007, -1/+20I'd be pretty damn impressed if you showed me a SQL injection in html.
    • neoform, on 10/11/2007, -1/+3After reading a lot of these comments, I'm pretty sure no one here actually knows how to make an XSS exploit work..
  • ThatEvilGuy, on 10/11/2007, -15/+52reddit almost always has more interesting topics than Digg, and that's true.
  • alpine75, on 10/11/2007, -18/+34If only there was a way to hack Digg to stop all the annoying Ron Paul stories!
  • omnidatacenter, on 10/11/2007, -5/+53This exact same things was happening to Digg version 3 in the beginning, but the Digg people were masters at sweeping this kind of stuff under the rug unlike the poor guys at Reddit... like the digg user who was able to upload an html file (because of no form validation) into the user avatar upload form to email himself everyone's cookie that went to his page which was now hosted at Digg. Further, he got a lot of hits by getting this page posted on the front page of Digg having put the story in the "admin only" category digg_news thanks to more poor or non-existent validation code. Or the guy who dugg over 100,000 stories in advance to their initial posting (due to non-existent Ajax validation). Digg is just as after-the-fact reactive to security issues as Reddit, the difference is that they react faster and are very good at covering up their mistakes.
    • l0ne, on 10/11/2007, -0/+4I have no problem with this as long as they *fix* the damn thing, of course, including any after-effect.
  • ericnmu, on 10/11/2007, -12/+21at least they don't censor!
    • AjaxDiggz, on 10/11/2007, -2/+2True that, how come the censorship on Digg has gotten less transparent than it used to be? I'm watching big digg stories disappear from the front page and very low count stories boosting up out of nowhere. Seems like it's become more hands on for the staff since the HD crack meltdown. Is it just me?
  • FyberOptic, on 10/11/2007, -10/+8Fun fact: Wired News is biased towards reddit, supposedly because they're both under the same umbrella. I've seen stories on Wired which are negative towards Digg too, which seems to further strengthen the case.

    So, ***** reddit. And unfortunately, Wired too.
  • badjoke, on 10/11/2007, -1/+6I don't think it's as much of a hack (yet) or a defacing as just a found vulnerability. From my understanding of the article, users can place their own code in comments which can do certain things.
  • je12u, on 10/11/2007, -18/+2Written by:#
    JM on May 26th, 2007

    "Does Reddit censor users like Digg does, and is the average demographic of a Redditor 16 years old and male?"

    I'm 17 dick!
  • Spazkake, on 10/11/2007, -3/+2http://reddit.com/info/1tt22/comments
  • TheKingOfHell, on 10/11/2007, -3/+3I have nothing against Reddit and I am really sorry that happened.
  • Rooster99, on 10/11/2007, -4/+3@Mephux
    If you were simply pointing something out then why did you resort a personal attack on his parents?? You're a douchebag.
  • esourcemag, on 10/11/2007, -10/+2Ummm... isn't Reddit a social bookmarking site while Digg is a social news site? I don't see that as a Digg competitor.
  • merdiesel, on 10/11/2007, -3/+2"XSS = Cross-Site Scripting. Code Injection -- Please refer to Google.com for all stupid questions, that's what Googles here for; guess your parents used a weak algorithm."

    "Well lets not turn this into a Human Rights Movement. I was simply making a point that he owns a computer and internet access, with a lot of resources at his finger tips."


    Mephux sounds exactly like Dwight Schrute.
  • sunyata322, on 10/11/2007, -0/+9"So far, redditors are just playing around with the exploit, but it is only a matter of time before someone writes a malicious script"

    sounds a little contradictory to "has been HACKED!!!!"
  • LukyJay, on 10/11/2007, -6/+0You like sex?
  • insomniac8400, on 10/11/2007, -4/+1Why fix something that will bring you the publicity of a digg?
  • ElbridgeGerry, on 10/11/2007, -1/+3"Hacked"? It was a problem fixed before anyone could do more than javascript alert boxes with it.
  • RyanDaRin, on 10/11/2007, -1/+6reddit is still better than digg.
  • Sharky35, on 10/11/2007, -6/+1He didn't fix it because he's not as cool as Kevin and his Penis is only 4" long... 1/3 the length of Kevin's,
  • raid517, on 10/11/2007, -0/+21There's one thing I have found about Reddit - and that is that while I find the layout of Digg easier to read, there seems to be a better/wider demographic on Reddit than there is on Digg. It doesn't seem to be so heavily populated by 13 to 16 year old boys, there isn't so much misogyny, sexism, racism and homophobia etc. and nowhere near as much pointless/gratuitous swearing/cursing whenever (many of the often younger) posters are trying to make a point. (I am not against swearing in the proper context, but many Diggers appear to abuse this capacity simply because (as children often do) they seem to think it makes them appear big and clever and possibly a bit more grown up).

    There is not such a mad clamour to vote comments up or down either - or at least I haven't noticed it. The Digg comment system is I think too often and too readily abused. I am all for Digging stories up or down - but Digging comments often just does not work - as usually it ends up just becoming some petty popularity contest - where the only comments that tend to survive are those that have the best ability to play into the sentiments of the mob.

    In days gone by everyone was entitled to their own opinion and other people simply had to learn to deal with this and to respond in an intelligent or considered way. Digg takes this capacity away with the ability to simply Digg comments up or down - so that it is almost impossible to have any reasonable or rational debate about anything. I certainly don't remember seeing a proper debate on Digg for a very, very long time. Just a bunch of sniping comments by what often seem like very bitter and very small minded people, who use the Digg comment system as a means of either self validation (as in trying to always post comments that they feel will be popular) or as a means of making other people feel worse than they do (and therefore perversely making them feel better about themselves) by randomly digging comments by other posters down - without any really good or thought out, or valid reason for doing so.

    My solution in any case would be to still allow stories to be dugg up and down in the normal way - but comments could only be dugg up and down by the user. Or put another way, just as you can hide/ban comments by a user on your own personal ban list, if you digg a comment down (or up) your vote would be visible only to you (so you can still have the psychological satisfaction of digging comments up or down (or buring them) while not making the Digg comment system itself seem like some petty vicious schoolyard fight).

    That way some of the motivation to digg comments up or down will be removed and whether a comment is popular or not, people can still at least feel that it is possible to comment on Digg without worrying if they are going to be made to feel like utter crap because of it). Either that or add a 'weighted' Digging system, so that a comment has to be really unpopular, or really dumb before it gets dugg down. (Such as for example a comment would need -10 Diggs or more for every 1 negative digg visible to other posters. Submitter stories are already weighted in a somewhat similar way (although not quite in exactly this way) so the idea of a weighted digging system for comments is at least not entirely new.

    Things like this would go a long way towards preventing abuse and towards allowing much more people to feel able to comment and it might even help encourage real debate - without people feeling that doing so may be pointless just because a bunch of lazy and thoughtless people appear unable to deal reasonably with opinions and points of view that may in some way differ from their own.

    Anyway I'm sure Diggers will think this is an unpopular comment. Let's see if anyone has the maturity to simply allow it to exist as one unique and potentially valid point of view, rather than just taking the easy way out and deploying the typical Digg knee jerk reaction and digging comments down simply because you may not entirely agree with them.
    • crazydiode, on 10/11/2007, -5/+1sorry dude.. we are like this only !!!
    • n0ydz, on 10/11/2007, -1/+4Amen.

      I think your points are valid, and you offer up a solid solution to the problem. Now if only Kevin Rose would take these flaws into consideration.
    • pzimmerm, on 10/11/2007, -0/+2Thanks for your thoughtful comments. I've kept my participation in Digg to a relative minimum for the very reasons that you suggest. Personally, I would go further and describe the tone around Digg as often being simply hateful.
  • dynamicvb, on 10/11/2007, -2/+0@Raid516, Well said.

    As far as the people talking about how terrible having an XSS hole is. If you do a little research on this, you will find that most sites have these holes. There are so many variations and it take a lot of code to combat and still allow functionality such as you have with most web 2.0 sites.
  • syafthegeek, on 10/11/2007, -1/+2Myspace is better be hacked otherwise rather than Reddit.
  • fastfood15, on 10/11/2007, -3/+1thats what you get with a second rate website.

    digg FTW
  • JoeDiggsIt, on 10/11/2007, -4/+1Yet another reason not to use Reddit.
    • JoeDiggsIt, on 10/11/2007, -1/+1Why am I getting dugg down? Digg wouldn't ever leaving a gaping hole for usernames and passwords to be stolen through. And along with Digg's much prettier GUI and other features (besides the whole 13-16 year old spammer thing) why should anyone want to use Reddit.
    • bigalreturns, on 10/11/2007, -0/+1I primarily use digg for news etc, but a good reason to use reddit could be that its pages don't take around 3 days to load even on a cable connection
  • Geekiest, on 10/11/2007, -1/+0Serves those ***** right for not fixing the exploit. Another example of the "myspace disease", "if it aint broke dont fix it, even if its broke".
  • monstermonkey, on 10/11/2007, -1/+0Does anyone actually use Reddit, I hear some things about it, it doesn't sound that great. I'll head over there just to keep you Reddit fans happy, I am sure it's good. But as far as I am concerned it's Digg all the way.
  • sabotank, on 10/11/2007, -1/+1oops, i thought the headline read reddit is full of hacks. damn
  • Deviant_Tech, on 10/11/2007, -0/+1This article is the first time I've ever heard of reddit... and I have to say... I like it WAY better than digg.
  • robszol, on 10/11/2007, -1/+2digg me down!!
  • BurntPickle, on 10/11/2007, -1/+1Yay! For overly sensationalized BS making to to the homepage, again.
  • xbugmenotx, on 10/11/2007, -2/+0Digg sucks worse than Reddit.
  • pkoduru, on 10/11/2007, -1/+0i would just bury it just bcos it is abt reddit
  • dpower, on 10/11/2007, -0/+1"Interestingly, reddit's founder was aware of the exploit months ago, but neglected to fix it"

    Publicity anyone?
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.