This Link Could Have Been Anything [Reddit Spam Issue]

By Daniel Miessler on June 5th, 2007: Tagged as Reddit | Security | Spam

Dear Reddit Team,

As you will no doubt have already noticed, this link does NOT reside on reddit.com, despite it appearing like it did on the website.

This means that people are currently able to post links to any domain they want and make it look like it came from the reddit domain (see image below).

<

p style=”text-align: center”>redditspam (clearly not the case)

I’ve sent you (the Reddit team) an email through the feedback function and will be happy to show you how I did it (assuming you don’t already know) as well as offer any other assistance.

Kind regards,

– Daniel Miessler E: daniel@dmiessler.com W: http://dmiessler.com G: 0xD4A8FFF6

[Edit] I haven’t heard from the reddit team and someone’s figured it out in the comments, so I’ll go ahead and mention it here. The problem is that all links on the reddit page don’t point to the real destinations, but rather to reddit-homed redirects for the purpose of counting clicks. This means that when you submit something, reddit makes a nice reddit-based link to any domain you submit. If you then submit THAT link you reproduce the effect.

I think one solution would be to place the target domain in the reddit-created link so that it can be filtered when people submit links that point to the “reddit” domain. So:

-- if link points to reddit.com check to see target domain if not reddit.com drop input else let it through --

[Edit 2] The reddit team finally contacted me and acknowledged the bug, so I removed my story from the site. I find it commendable that they didn’t remove the link themselves; and they didn’t even ask me to do so. Kudos to reddit.:

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

View Comments

  • Hello! Good Site! Thanks you! rkabqikhuxyus
  • I read reddit via popurls.com and one of the reasons I was initially attracted to reddit was the fact that I could click on story titles displayed on the feed summary at popurls and go straight to the story. With other sites like netscape or digg one has to go to the netscape or digg website and then click read the story which put me off using those sites. Oh, that and the stories at reddit are more interesting.

    Someone mentioned title modding - I think that could be a way to go.
  • Dave
    "Quit being so polite - it’s not a job interview."

    Haha.. dunno if you've ever watched Daniel wrestle the bottom feeders at http://dslreports.com or not, but Daniel is always very well behaved.

    Hell, he didn't even tell you to eat a dick for your bullshit comments above.
  • Bill
    Come on now Daniel, you're smarter than that. After all the s*** over at Digg over the past few months over censoring and removing posts, did you really, honestly, think that anyone at Reddit would remove your post?

    Quit being so polite - it's not a job interview.
  • The reddit team finally contacted me and acknowledged the bug, so I removed my story from the site. I find it commendable that they didn’t remove the link themselves; and they didn’t even ask me to do so. Kudos to reddit.:
  • Bill
    Hang in there Doug. We'll get through this together.
  • I'm scared
  • Thanks for point out this bug.

    Love Across Borders Community Publishing
    http://www.loveacrossborders.com
  • Bill
    Wow! That is simply THE most shocking thing I've ever heard! My wife just went into labor, but I'm so upset about this, I had to tell her to make her own way to the hospital. This is more than shocking, it's disgraceful, and criminally negligent.

    Has anyone contacted the authorities? Those bad boys at Reddit should be locked up in Guantanamo for allowing something of this magnitude to occur. Such evildoers...

    Oh, the shame, the shame!
  • It is worse than tinyurl (or similar) because users (at least) me make an assumption when I see a reddit url. I don't see anything wrong with using tinyurl. But I'm not sure why you would do that on a site like reddit.
  • Ben
    is this any worse than submitting a link to tinyurl, or any other site that provides redirects?
  • gabbonded
    It would be nice
  • AJ
    I think this is interesting...and I have previously bookmarked your UNIX command tutorials--they're most excellent!!
  • We should be careful on the web. It's a dangerous place.
  • > Don't read it

    You misunderstand; Reddit is one of my favorite sites.
  • Don't read it.
blog comments powered by Disqus

 

twitter_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives