About.me was vulnerable to a persistent XSS attack. A malicious user could have activated an arbitrary JavaScript in any visitor's browser.
About.me allows users to display their contents from external social media websites such as Twitter, Facebook, and so on. The vulnerability that I detected was in the program that displays Github contents. An attacker would have needed to create a Github repository with a simple XSS vector in its description and to import his Github account into his about.me profile. Subsequently, if a visitor had clicked on the button to the attacker's Github repositories, the XSS vector would have been activated.
After I reported the vulnerability, they fixed it quickly and sent me the hoodie jacket shown in the picture on the left.
About.me allows users to display their contents from external social media websites such as Twitter, Facebook, and so on. The vulnerability that I detected was in the program that displays Github contents. An attacker would have needed to create a Github repository with a simple XSS vector in its description and to import his Github account into his about.me profile. Subsequently, if a visitor had clicked on the button to the attacker's Github repositories, the XSS vector would have been activated.
After I reported the vulnerability, they fixed it quickly and sent me the hoodie jacket shown in the picture on the left.
I have also found similar vulnerabilities in many other websites; some of them are not fixed yet.
Nice jacket ;)
ReplyDeleteGood job
GJ
ReplyDeleteمشكور
ReplyDeleteNo Deposit Bonus Casinos 2021 - Win Real Money at US
ReplyDeleteWe list 10 best online www.jtmhub.com casinos with no deposit bonuses 1xbet 먹튀 in the US. Find casino-roll.com the best USA no https://septcasino.com/review/merit-casino/ deposit wooricasinos.info bonus codes and get your free spins
Thanks great blogg post
ReplyDelete