Saturday, February 18, 2012

XSS vulnerability in about.me

 
About.me was vulnerable to a persistent XSS attack. A malicious user could have activated an arbitrary JavaScript in any visitor's browser.

About.me allows users to display their contents from external social media websites such as Twitter, Facebook, and so on. The vulnerability that I detected was in the program that displays Github contents. An attacker would have needed to create a Github repository with a simple XSS vector in its description and to import his Github account into his about.me profile. Subsequently, if a visitor had clicked on the button to the attacker's Github repositories, the XSS vector would have been activated.

After I reported the vulnerability, they fixed it quickly and sent me the hoodie jacket shown in the picture on the left.
I have also found similar vulnerabilities in many other websites; some of them are not fixed yet.