This Link Could Have Been Anything [Reddit Spam Issue]

By Daniel Miessler on June 5th, 2007: Tagged as Reddit | Security | Spam

Dear Reddit Team,

As you will no doubt have already noticed, this link does NOT reside on reddit.com, despite it appearing like it did on the website.

This means that people are currently able to post links to any domain they want and make it look like it came from the reddit domain (see image below).

<

p style=”text-align: center”>redditspam (clearly not the case)

I’ve sent you (the Reddit team) an email through the feedback function and will be happy to show you how I did it (assuming you don’t already know) as well as offer any other assistance.

Kind regards,

– Daniel Miessler E: daniel@dmiessler.com W: http://dmiessler.com G: 0xD4A8FFF6

[Edit] I haven’t heard from the reddit team and someone’s figured it out in the comments, so I’ll go ahead and mention it here. The problem is that all links on the reddit page don’t point to the real destinations, but rather to reddit-homed redirects for the purpose of counting clicks. This means that when you submit something, reddit makes a nice reddit-based link to any domain you submit. If you then submit THAT link you reproduce the effect.

I think one solution would be to place the target domain in the reddit-created link so that it can be filtered when people submit links that point to the “reddit” domain. So:

-- if link points to reddit.com check to see target domain if not reddit.com drop input else let it through --

[Edit 2] The reddit team finally contacted me and acknowledged the bug, so I removed my story from the site. I find it commendable that they didn’t remove the link themselves; and they didn’t even ask me to do so. Kudos to reddit.:

  • http://gundamus.com/ mark

    Don’t read it.

  • http://gundamus.com mark

    Don’t read it.

  • http://dmiessler.com/ Daniel Miessler

    Don’t read it

    You misunderstand; Reddit is one of my favorite sites.

  • http://www.doughstreet.com/ Marc Yoshido

    We should be careful on the web. It’s a dangerous place.

  • http://dmiessler.com Daniel Miessler

    Don’t read it

    You misunderstand; Reddit is one of my favorite sites.

  • http://www.doughstreet.com Marc Yoshido

    We should be careful on the web. It’s a dangerous place.

  • AJ

    I think this is interesting…and I have previously bookmarked your UNIX command tutorials–they’re most excellent!!

  • http://n/a AJ

    I think this is interesting…and I have previously bookmarked your UNIX command tutorials–they’re most excellent!!

  • gabbonded

    It would be nice

  • gabbonded

    It would be nice

  • Ben

    is this any worse than submitting a link to tinyurl, or any other site that provides redirects?

  • Ben

    is this any worse than submitting a link to tinyurl, or any other site that provides redirects?

  • http://flip.tv/ Chris

    It is worse than tinyurl (or similar) because users (at least) me make an assumption when I see a reddit url. I don’t see anything wrong with using tinyurl. But I’m not sure why you would do that on a site like reddit.

  • http://flip.tv Chris

    It is worse than tinyurl (or similar) because users (at least) me make an assumption when I see a reddit url. I don’t see anything wrong with using tinyurl. But I’m not sure why you would do that on a site like reddit.

  • Bill

    Wow! That is simply THE most shocking thing I’ve ever heard! My wife just went into labor, but I’m so upset about this, I had to tell her to make her own way to the hospital. This is more than shocking, it’s disgraceful, and criminally negligent.

    Has anyone contacted the authorities? Those bad boys at Reddit should be locked up in Guantanamo for allowing something of this magnitude to occur. Such evildoers…

    Oh, the shame, the shame!

  • Bill

    Wow! That is simply THE most shocking thing I’ve ever heard! My wife just went into labor, but I’m so upset about this, I had to tell her to make her own way to the hospital. This is more than shocking, it’s disgraceful, and criminally negligent.

    Has anyone contacted the authorities? Those bad boys at Reddit should be locked up in Guantanamo for allowing something of this magnitude to occur. Such evildoers…

    Oh, the shame, the shame!

  • http://www.loveacrossborders.com/ Shaun Apple

    Thanks for point out this bug.

    Love Across Borders Community Publishing http://www.loveacrossborders.com

  • http://www.loveacrossborders.com Shaun Apple

    Thanks for point out this bug.

    Love Across Borders Community Publishing http://www.loveacrossborders.com

  • http://efresh.com/ doug

    I’m scared

  • http://efresh.com doug

    I’m scared

  • Bill

    Hang in there Doug. We’ll get through this together.

  • Bill

    Hang in there Doug. We’ll get through this together.

  • http://dmiessler.com/ Daniel Miessler

    The reddit team finally contacted me and acknowledged the bug, so I removed my story from the site. I find it commendable that they didn’t remove the link themselves; and they didn’t even ask me to do so. Kudos to reddit.:

  • http://dmiessler.com Daniel Miessler

    The reddit team finally contacted me and acknowledged the bug, so I removed my story from the site. I find it commendable that they didn’t remove the link themselves; and they didn’t even ask me to do so. Kudos to reddit.:

  • Bill

    Come on now Daniel, you’re smarter than that. After all the s*** over at Digg over the past few months over censoring and removing posts, did you really, honestly, think that anyone at Reddit would remove your post?

    Quit being so polite – it’s not a job interview.

  • Bill

    Come on now Daniel, you’re smarter than that. After all the s*** over at Digg over the past few months over censoring and removing posts, did you really, honestly, think that anyone at Reddit would remove your post?

    Quit being so polite – it’s not a job interview.

  • Dave

    “Quit being so polite – it’s not a job interview.”

    Haha.. dunno if you’ve ever watched Daniel wrestle the bottom feeders at http://dslreports.com or not, but Daniel is always very well behaved.

    Hell, he didn’t even tell you to eat a dick for your bullshit comments above.

  • Dave

    “Quit being so polite – it’s not a job interview.”

    Haha.. dunno if you’ve ever watched Daniel wrestle the bottom feeders at http://dslreports.com or not, but Daniel is always very well behaved.

    Hell, he didn’t even tell you to eat a dick for your bullshit comments above.

  • http://www.blizzardboy.net/ simon

    I read reddit via popurls.com and one of the reasons I was initially attracted to reddit was the fact that I could click on story titles displayed on the feed summary at popurls and go straight to the story. With other sites like netscape or digg one has to go to the netscape or digg website and then click read the story which put me off using those sites. Oh, that and the stories at reddit are more interesting.

    Someone mentioned title modding – I think that could be a way to go.

  • http://www.blizzardboy.net simon

    I read reddit via popurls.com and one of the reasons I was initially attracted to reddit was the fact that I could click on story titles displayed on the feed summary at popurls and go straight to the story. With other sites like netscape or digg one has to go to the netscape or digg website and then click read the story which put me off using those sites. Oh, that and the stories at reddit are more interesting.

    Someone mentioned title modding – I think that could be a way to go.

  • http://pxhiyldcqb.com/ pxhiyldcqb

    Hello! Good Site! Thanks you! rkabqikhuxyus

  • http://pxhiyldcqb.com pxhiyldcqb

    Hello! Good Site! Thanks you! rkabqikhuxyus


Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs