XSS Hole in Reddit Allows Gaping Access: Proof of Concept

Fixed by Reddit.

So, a few months back Digg added a new feature that allowed users to invite and add friends more easily. Unfortunately, as I reported then, this hole allowed a site to automatically add friends if the visitor was still logged into Digg.

This story did quite well in Reddit, often considered rivals, actually out performing the story on Digg which was, unsurprisingly, quickly buried.

Nevertheless, an XSS hole in the handling of non-existing 404 pages has created a gaping hole which can allow a site to perform almost any site function we would want. To be fair to Reddit, I figured the Proof of Concept should mimic the same one as I did for Digg, an auto friend adder. If you are reading this page and are logged into Reddit, assuming the hole has not yet been fixed, you will add “rjonesx” as a friend.

By using the most basic XSS and CSRF techniques, I was able to do the following…

1. Inject a remote script onto a 404 page (http://www.thegooglecache.com/reddit-friends-adder.js)
2. Inject an iframe into that same 404 page of the /prefs/friends page
3. Use the remote script with a basic timed delay to fill out and submit the form on the /prefs/friends page to add rjonesx as a friend

The solution, of course, is as simple as any good XSS security solution. Don’t print out what is in the URL. If you must, strip all HTML.

No tags for this post.