reddit is today’s hacking playground

“reddit is the hacking playground for today.”

so says richard stiennon, zdnet blogger, in an article from today, “using social networks for ddos. reddit as hacker tool.”.

steinnon is referring to an incident that began late last night with omghax1337 posting “dear riaa… from your friendly neighborhood hackers”. omghax1337’s link took advantage of a failure on the riaa’s part to properly sanitize data it accepts as input. with this vulnerability, users were able to do things like this:

unfortunately for the riaa, that wasn’t all. later, eurleif posted a link titled “this link runs a slooow sql query on the riaa’s server. don’t click it; that would be wrong.” the link was to the aforementioned script, taking advantage of the sql injection vulnerability to execute a cpu-intensive query on the riaa’s webserver.

of course, the reddit users didn’t heed eurleif’s warning and did, indeed, “click it” — with the eventual effect being a distributed denial of service attack. webserver go bye bye.

while that event was playing out, someone else upped the ante. not being content with simply crashing their server, an unknown person decided to go ahead and delete all of the database content. that led to all of the articles on the riaa’s website showing up as “temporarily removed”.

earlier today, the content was restored and it appears that the riaa has plugged the hole. as stiennon mentions, however:

“this event is a great study in mob behavior. there is no love lost between any technologist and the riaa who is viewed as a corporate king canute commanding the tides to stop. so a call to action that involves a ‘minor’ thing like clicking on a link that set off a malicious attack got at least 649 up mods (user’s votes). did 659 people click through? no way to know and it is a moot point because some impatient hacker took it upon himself to execute a more targeted attack.”

disclaimer: i’m not advocating hacking the riaa (or anyone else). i will note, however, that karma’s a bitch. =)