Summary of my vulnerability report during March, 2012

I summarized the number of  web application vulnerabilities that I reported during March, 2012.

• Reported and fixed: 11 vulnerabilities
• Reported but not fixed yet: 6 vulnerabilities
• Not reported yet: 4 vulnerabilities

This is the correlation with Alexa rank of the website.

• Reported and fixed
• Rank 1 ~ 1,000: 1 vulnerability
• Rank 1,001 ~ 10,000: 6 vulnerabilities
• Rank 10,001 ~ 100,000: 1 vulnerability
• Rank 100,001 ~ : 3  vulnerabilities
• Reported, but not fixed yet
• Rank 1,001 ~ 10,000: 1 vulnerability
• Rank 10,001 ~ 100,000: 2 vulnerabilities
• Rank 100,001 ~ : 3 vulnerabilities
• Not reported yet
• Rank 1 ~ 1,000: 1 vulnerabilities
• Rank 1,001 ~ 10,000: 1 vulnerability
• Rank 10,001 ~ 100,000: 2 vulnerabilities
• Rank 100,001 ~ : 1 vulnerability

In the "Reported and fixed" category, this is the time between when I reported the vulnerability and when it got fixed.

• 1 day: 3 vulnerabilities
• 1 week: 7 vulnerabilities 
• 1 month: 1 vulnerability

XSS vulnerability in about.me

 

About.me was vulnerable to a persistent XSS attack. A malicious user could have activated an arbitrary JavaScript in any visitor's browser.

About.me allows users to display their contents from external social media websites such as Twitter, Facebook, and so on. The vulnerability that I detected was in the program that displays Github contents. An attacker would have needed to create a Github repository with a simple XSS vector in its description and to import his Github account into his about.me profile. Subsequently, if a visitor had clicked on the button to the attacker's Github repositories, the XSS vector would have been activated.

After I reported the vulnerability, they fixed it quickly and sent me the hoodie jacket shown in the picture on the left.

I have also found similar vulnerabilities in many other websites; some of them are not fixed yet.