In less than 24 hours, Reddit had not only fixed the issue, but had come clean on how it had occurred.
This is a beautiful example on how a company can and should respond to this type of incident. Reddit demonstrates several positive attributes concerning web security all at once.
- They have acknowledged responsibility and explained publicly the mistakes that were made.
- They rightly confronted the attacker, dealt with irresponsible disclosure, and did not whine about it
- They detailed the exploits they fell victim to, and disclosed them publicly to assist others.
Sophos has published a technical paper detailing some best practices to follow when deploying websites and web applications. This paper covers topics such as cross-site scripting (XSS) and other issues to consider when reviewing your web applications.
The attack against Reddit was an XSS attack, however there are large number of websites on the internet vulnerable to other attacks detailed in the paper.
Reddit did the right thing in an expedient manner and deserves a pat on the back. Other social networking sites and link aggregators have not responded in nearly as responsible or timely a manner in the past, so my hat is off to you Reddit.