Need help dispelling myths about how hackers access websites
I hope I’m posting this in the correct place. I’ve been having a disagreement with someone over the abilities of hackers. I kinda hope Deimorz pops in because he wrote automod.
I said that the only way for someone to gain access to a subreddit to make changes is if they steal a moderator’s account password or they are added to the mod team. The person I’m having a disagreement with believes that adding text to the wiki for users to view (like the extensive wiki r/skincareaddiction has) would make it easier for hackers to insert malicious code in order to gain access to the sub. This person also mentioned being able to change the subreddit through browser tools. She insists the sidebar and wiki are potential access points for scripting attacks. Automod just so happens to be enabled which is why I mentioned Deimorz.
I’m not an IT professional. My brothers currently are which helped me learn most of what I know. I’ve supplemented that over the years with whatever info I came across online. What she’s saying sounds like crazy town to me. But since I’m not a hacker, is there a way to use the sidebar or wiki area to hack into a subreddit?
Thanks in advance to anyone who pities me by providing a detailed answer to this thinly veiled request to help me win an internet argument 🙇🏾♀️.
I don't know enough about reddit to speak authoritatively, but I am a web developer.
Depending on what the definition of "hack" is here, or the goals of a hypothetical scoundrel, I see two primary ways to gain unauthorized access to a subreddit: 1) stealing the credentials of a real moderator, 2) a genuine security flaw in reddit itself
One example of 2 would be so called "script injection", which is what it sounds like your friend is talking about. In injection attacks, some piece of user provided input (like a comment, flair, or wiki article) is intended to be displayed back to other users. If the correct filtering steps are not taken by the site in question, it's possible for a malicious user to submit content containing HTML or Javascript that, when displayed by the victims browser, will be executed, possibly allowing credentials or session tokens to be stolen or for the script to take malicious actions directly on behalf of its creator.
Injection attacks and proper filtering of user input are a very common and well understood, being taught to pretty much everyone in their first year of learning web development. An injection attack in reddit would be a huge deal, but I'm pretty sure they've covered their bases on that.
For example, even though Tildes supports entering some HTML tags, if I type
<script type="text/javascript">alert("boo!");</script>`it gets properly escaped so that the browser doesn't interpret it as being a real script that it should run.
The other thing you mentioned is being able to change the subreddit through the browser dev tools. This will only ever change the local copy of the page that's living in your browsers memory. It's helpful if you want to learn how a site works, or apply your own CSS to make it easier to read, but any changes you make won't be sent back to the server or appear to any other users. It's worth noting that this is basically what tools like RES do, add scripts and content to the page to provide new features, but that each user needs to download RES individually and it never affects any other users who don't have that addon.
Oh this looks close to some of the stuff she was saying about script attacks. Ok so she enabled automod and I added the rules to the wiki. She’s frustrated and wants me to only use the sidebar and not put anything into the wiki because the wiki can be used in a script attack. I told her that if the wiki can be used then the sidebar can be used therefore it makes no difference if I use the wiki or not.
It mostly devolved into “you’re creating another access point for hackers” from there...
Edit: forgot word
Additionally, you kind of need to gain authorization before you can make those changes, anyway, so it doesn't really matter. If a hacker gains authorization, they can use whatever they want.
Yes, I'm aware. I'm just stating that wiki vs. sidebar doesn't matter because anyone who can actually utilize such an exploit will already have the necessary authorization to add wiki pages.
I said something along those lines to her and I followed it up with me using the wiki tab for rules is the same as putting the rules in the sidebar. But since it’s another tab “I’ve created another access point for hackers”
I get the sense that you're primarily interested in keeping a reddit space secure—you don't need to worry much beyond protecting your mod list. There aren't too many things a user without privileges can do that you'll need to worry about—reddit's been pretty battle-tested.
I think other people have covered it pretty well, but basically:
Yes, script injection (XSS) and SQL injection are attacks/vulnerabilities that exist in general, but there's protection against them on reddit. If you can find an injection vulnerability on reddit that would be a really big deal. Note that they have been found in the past, for example about 9 years ago someone figured out a way to get past the sanitization in comments and made a "worm" that spread itself through Javascript injected in comments and made a big mess of the site: https://www.theregister.co.uk/2009/09/28/reddit_xss_worm/
I can't think of any other ones happening any time recently though, and the sidebar/wiki in particular should be totally safe. It's always possible that there's a vulnerability, but very unlikely.
Thank you soooo much for responding. I just couldn’t see the admins leaving that huge of a security hole and with no attempts to exploit it. Like why go through the trouble of breaking federal laws to get someone’s password when you can just use the wiki and leave the FBI out of it?
Thank you for your thoughtful response. I could kind of see where she’s coming from now in a very global sense. For example, yes it’s possible I could get kicked in the face by a horse tomorrow and die. However, multiple events would need to take place first in order for that to happen. Those events could come to pass. But realistically, will they happen? Probably not.
The only way you're going to be able to insert content into the wiki or sidebar (assuming you've got wiki permissions set to mod only) is if you're a mod. It seems extremely unlikely that someone is going to be able to gain access to the moderator tools of a subreddit any other way. If they were, that would be a serious security problem and I'd wager that the Reddit admins would move to fix it immediately. In my ~4 years or so of modding I've never heard of a subreddit falling victim to such an exploit, and some subreddits are extremely high-profile and would be big targets for an attack like that.
Does this person have any proof whatsoever for their claims?
She really doesn’t have any proof. The articles she posted as proof of hackers’ abilities mentioned SQL injection and script attacks. As far as I can see, neither of those can be used if you only have access to reading a wiki.
She insists the subreddit can be hacked through the wiki or sidebar whether or not you have a mod password. My position is that you cannot make any changes to a subreddit unless you have mod or admin credentials.
Ask her to hack r/pics :P
No, you cannot "hack" subreddit. You need to be a mod to change anything in subreddit. And even if you could edit wiki without being mod, SQL injection or XSS (that's script attack) cannot be used. They're the most well-known attacks and it's really easy to defend against them. You'll have a hard time trying to find any site, that's not protected against those attacks - Reddit, one of the biggest websites, is 100% protected.
This honestly sounds like music to my ears. I can think of so many hated subreddits that would have been hacked ad nauseum if the exploit she was referring to actually worked. If I had the stomach for it I’d post on voat and all the chans cuz they love fucking with redditers and SJW subreddits. They would have figured it out by now.
OP not my business but it feels like you're trying to get reasons to "shove it to her face" more than understanding if the concerns were real.
I suggest that you take a break before going back and talk again with this person, to not escalate this discussion on a personal level.
Oh I have no intention of bringing this information to her. But have you ever been in a situation where you’re pretty sure you know something, the other person is convinced you’re an idiot so you start second guessing yourself?
All of this is purely for my sanity. I just needed to know that I wasn’t as dumb as she was implying.
Unfortunately yes, that's why I was suggesting you to take a breath if you want to come back with what you learnt here :)
That’s definitely a fair assumption. If you had asked me the same question immediately after I posted the initial question, we both know what my answer would have been 😉
But yeah. I was heated then. I’m wayyyyy calmer now. Maybe she’ll come around later, but I eventually realized that this isn’t the hill I want to die on so I let it go.
SQL injection and XSS attacks are absolutely real and common vulnerabilities, but they're well-known and Reddit has been around long enough that those should already be covered and defended against.
A vulnerability can only be exploited if a website hasn't defended against it. Her concerns aren't warranted unless she can demonstrate that Reddit has such a vulnerability, in which case she should be looking into whether or not they have a bug bounty program.
Yeah that’s the part that has me so frustrated. It’s just not a known vulnerability otherwise so many subreddits would have been the target of people they ban for starters. Every time a subreddit is taken over from the outside, it’s always been as a result of a stolen mod password.
I’m even more salty that she keeps saying that because I added the sub rules to the wiki, I created another access point for hackers.
What exactly does she mean by this? It's impossible to add content to the wiki if it's set to mods only (the default setting) and you're not a mod. How does she propose an attacker would inject any sort of script if they don't have access to the subreddit tools? Ask for a detailed process - just saying "They can inject it through the sidebar and wiki!" isn't really enough. Additionally, why does she even care? Is this a large subreddit that is a prime target for abuse?
It's good she's being cautious with security, but in this case she's definitely being too paranoid.
This is exactly how I feel. She didn’t mention an exploit. At least she didn’t mention one that made any sense to me. She just feels hackers have the ability to access mod tools through the wiki or sidebar. She did mention malicious script and SQL injection as options but I still don’t understand how hackers could use them on the wiki.
Since my knowledge is above basic and in no way as advanced as some of the folks who hang out here, I was hoping someone already knew what kind of exploit she was trying to explain to me.
She may feel that way, but the evidence does not support it. As long as she and other mods are taking their account security seriously (i.e., using 2FA, not reusing passwords, making sure any recovery email addresses are secure, etc), there shouldn't be any reason to expect a successful attack.
Thanks for humoring my newbie mod/IT questions lol.
If someone has gained control over a sub's wiki or sidebar, it's because a moderator account has been compromised. Most accounts that are "hacked" on reddit are compromised by people reusing their usernames/passwords on multiple forums.
You know all those shitty BB forums you signed up for 5 years ago and forgot about? The ones with the shitty security and sketchy backends? The username and password you used on that site has been leaked somewhere, I guarantee it. And then you went and created an account on reddit using that SAME username and password. Someone wanting to "hack" your account can very easily find those leaked lists of usernames and passwords, search for your username, enter that same password, and BAM. Account "hacked".
Happened to me today, I got a 2 factor auth request to a throw away steam account I'd forgotten I created years ago. Kinda mystified how they connected the password to that user name automatically (there's nothing on the account worth stealing so I doubt it was targeted).
Use 2 factor authentication & don't re-use passwords folks!
Yep, I learned my lesson the hard way when my spotify account got compromised. Immediately got lastpass and spent ~4 hours going through every. single. site. I've ever registered on to set a unique password.
Ugh they got my Netflix account and then changed the language to Spanish. That was a fucked up day.
This is pretty much the only method I’ve heard of. Something that 2FA can almost eliminate. But she’s told everyone that I’m wrong and I’ve created another access point for hackers by putting rules in the wiki 🤷🏾♀️
Putting plain text in the wiki or sidebar won't do it, and I doubt you could put any JavaScript in there and have it not be visible to everybody else viewing the subreddit.
Do you have any knowledge of sql injections? Can they be used on the wiki or sidebar f you’re not a mod.
(I wish I knew enough about this to know whether I’m even phrasing this question correctly)
If Reddit allows the execution of arbitrary SQL queries from either the wiki or the sidebar, then that site's an even bigger pile of shit than I had previously dared to imagine.
If you want to understand how Reddit works, I'd suggest taking a look at their API documentation. The API defines how sites can talk to Reddit. If you can somehow make API calls to Reddit from either the sidebar or wiki, then you might be able to do SQL injections if the developers are incompetent enough to trust input instead of sanitizing it.
That’s what another user mentioned. Reddit’s CSS is sanitized while voat’s is not. It seems, on voat, there’s some vulnerability to the kind of attack this person I’m talking with alluded to. But the same does not appear to apply to reddit if I understood correctly.
I’ll take a stab at reading the API. I might nope out since the majority of comp stuff I have experience with is setting up networking bullshit like personal servers and smart appliances around my apartment.
I'm not who you were replying to, but in a word: No.
You can only perform a SQL injection if you can enter some text into the website and have the website process that text in a certain way. Since you can only edit the wiki/sidebar if you're a mod, it's not possible for normal users to attempt to perform a SQL injection on reddit in this way.
XSS attacks (strictly, stored XSS) can similarly only be performed if you can edit the text on a website. Since normal users can't edit the wiki or sidebar, normal users can't use them to attempt XSS.
Note: you could attempt an XSS attack, since you can edit the wiki. This would mean that you inserted a script into the wiki, with the aim of making users' browsers execute that script when they viewed the page. However, it's very unlikely that reddit is vulnerable to this kind of attack, as it's a well-known type of attack.
I appreciate your response. I was worried that I was on the wrong track because I’ve never worried about this stuff beyond making sure my personal accounts are secure. Apparently there’s hope for me yet.
I would say that it's on them to explain how exactly they think that works...by "hack in" I think you mean have moderator-level control over a subreddit or otherwise steal the account credentials of a mod.
I'm in IT but don't know enough about reddit to say anything definitive, but I'm highly skeptical of the claims.
I appreciate the reply regardless. She mentioned script attacks through the wiki or sidebar displayed on the website. I don’t know how you can put an executable code into either of those places without a password. I’m kinda going around in circles trying to figure out how that would work.