It hasn't been a good weekend for social ranking sites. Security vulnerabilities were uncovered at Digg-competitor Reddit and Pligg, a site that lets you create your own Digg clone. The security problems at each site were unrelated and have been patched.Basically, the problem at Reddit was that the site let users upload malicious code in their comments that could grant access to your account login and other information. For the most part, Reddit users played with vulnerability by uploading benign code. The exploit has been fixed, and now any user who uploaded such code has had the text replaced with "I am a terrible person."
The Pligg vulnerability was even more serious, allowing an attacker to take over an entire website. Pligg has released a patch, and recommends anyone running a Pligg site upgrade immediately.
[via Frantic Industries]
Reader Comments (Page 1 of 1)
5-28-2007 @ 8:11AM
Aaron Bassett said...
Many people don't realise just how serious an XSS vulnerability can be. Alot of times the view is "well its only Javascript!?"
In attempt to show just what could be done if a malicious user managed to inject Javascript into a page I wrote a post detailing some of the attacks which could be performed. You can read the full post and see the code examples at: http://foobr.co.uk/2007/05/javascript_is_for_hackers/
Reply