There is an interesting writeup on the Reddit blog about the particular vulnerability that lead to their exploitation. In general it is a reasonably informative writeup that delves into their mistake and I wish all security flaws recieved such an informative writeup (You occassionally see Michael Howard delve into details on a Microsoft vulnerability, but it is hardly the norm).

That said, there is a bit of silliness in one of their quotes:

As a matter of fact, these bugs were only exploitable because we are open source. The worm author had to scour the source of our output filter to find these holes. We cannot hide behind security though obscurity, and we like it that way. We also rely on our users reporting security bugs in a responsible manner.

There are a lot of reasons to choose the OSS model and extol its virtues, but it is craziness to PREFER that malicious users have access to the source code and thus have an easier time finding flaws; its a trade off of the OSS model for sure, and you can’t have the good without the bad, but I think largely it isn’t unfair to say that folks would be happier if only well intentioned individuals had access to the source code (save for Stallman, but he also believes a person should be more proud of contributing to the Linux kernel than raising kids so I think we can religate him to fringe nutjob). One could argue that it puts added pressure to fix even seemingly small issues because of public scrutiny or other such philosophies but at the end of the day that statement ultimately amounts to Reddit prefering the greater risk. That is not to say that the benefits don’t outweigh the risks for a particular company and a particular business model but from a standpoint of avoiding the exploitation of vulnerabilities security controls + obscurity is better than just security controls. The less an attacker can know about you the better you are; you can’t *rely* on them being ignorant of you but at the same time it is always better to try and keep them in the dark.

Obscurity alone does not ensure security, hence the various statements about security through obscurity being a fallacy, but it does have security utility (and indeed necessity at times – your encryption is only secure so long as your key is obscure). Obscurity raises cost for an attacker, all other factors being equal, since it increases effort to remove the obscurity. If two sites seem to have strong input and output controls and I want to break into either of them, I will choose the one with open source code because it will take me far less time examining code for flaws than trying esoteric attacks in the hope one sticks (and similarly increase the chances of tripping any IDS or IPS solution deployed). Thus being closed source in that regard has benefits. Indeed, if Reddit had been closed source the likelihood of this vulnerability being exploited would be far lower; the code would still be vulnerable but the cost to find that vulnerability is such that the attacker would probably spend their time elsewhere.

In the end obscurity doesn’t ensure security but it does reduce risk. Risk is the product of likelihood and impact, and obscurity does decrease the likelihood – it doesn’t reduce it to 0, but it does decrease it. That’s why most Pen Testers will write up any unneccessary disclosure of information, even if it is just server tokens, because it is BETTER to be obscure than not from a risk stand point.

And just to be a bit snarky, if Reddit really didn’t believe in Security through Obscurity they would favor Full Disclosure over Responsible Disclosure. The latter hopes to obscure the details of a vulnerability until it can be fixed while the former has no obscurity to speak of. Of course it also means the chances of a maelevolent party exploiting the vulnerability increases but that was pretty much the point of my post anyway.

~ Joshbw