Reddit.com, a popular aggregator for web news and discussion, was attacked sometime yesterday with a massive cross-site scripting exploit that caused even hovering over a comment on the site to spam thousands of comments from the user’s computer. It didn’t result in any malicious changes to the user’s computer, but the massive traffic and network activity quickly brought Reddit to its knees. As of this writing (1:13pm CET, or 5:13am Central), Reddit appears to have recovered, but “hot” activity has been dormant for hours.

Reddit users were not amused. Capture taken at 6:13AM Eastern

The exploit appears to have been Javascript-based, so using a Firefox addon like NoScript or turning off Java in your browser before visiting reddit would have prevented you from adding to the comment bomb. Investigation is surely forthcoming.