Reddit exploited - Shows the world how to respond

Filed Under: Vulnerability

Image of broken Reddit

Last night it was reported that Reddit had been attacked and malicious JavaScript was disrupting the use of the site.

In less than 24 hours, Reddit had not only fixed the issue, but had come clean on how it had occurred.

This is a beautiful example on how a company can and should respond to this type of incident. Reddit demonstrates several positive attributes concerning web security all at once.

  1. They have acknowledged responsibility and explained publicly the mistakes that were made.
  2. They rightly confronted the attacker, dealt with irresponsible disclosure, and did not whine about it
  3. They detailed the exploits they fell victim to, and disclosed them publicly to assist others.

Sophos has published a technical paper detailing some best practices to follow when deploying websites and web applications. This paper covers topics such as cross-site scripting (XSS) and other issues to consider when reviewing your web applications.

The attack against Reddit was an XSS attack, however there are large number of websites on the internet vulnerable to other attacks detailed in the paper.

Reddit did the right thing in an expedient manner and deserves a pat on the back. Other social networking sites and link aggregators have not responded in nearly as responsible or timely a manner in the past, so my hat is off to you Reddit.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.