tag:blogger.com,1999:blog-18930888721382944002024-12-18T19:27:57.292-08:00Francisco Correa Security.log Senior Security Consultant - Proof &amp; Concepts - Deeplook SpAUnknownnoreply@blogger.comBlogger18125tag:blogger.com,1999:blog-1893088872138294400.post-71208009677995739482017-05-17T15:57:00.001-07:002017-05-17T18:22:29.102-07:00One Cloud-based Local File Inclusion = Many Companies affected<br /> Hi everyone, Today, I'm going to share how I found a Local File Inclusion that affected companies like Facebook, Linkedin, Dropbox and many others.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiafrJ4F7tueUruySvktlzdOl6SoGlQU0IuCQvj7cNp2aKsmSNCP4L5C5Ruc_zeVdwlKTTrkCbgGCjU1nLIXJgIXZcWBQlcWEWzVcrSVMBremCo336lIyL_siBNq6FtTNvNsvMzzOkZAikT/s1600/final.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiafrJ4F7tueUruySvktlzdOl6SoGlQU0IuCQvj7cNp2aKsmSNCP4L5C5Ruc_zeVdwlKTTrkCbgGCjU1nLIXJgIXZcWBQlcWEWzVcrSVMBremCo336lIyL_siBNq6FtTNvNsvMzzOkZAikT/s400/final.jpg" width="400" /></a></div> <br /> <br /> <br /> The LFI was located at the cloud system of Oracle Responsys. For those who do not know Responsys is an enterprise-scale cloud-based business to consumer (B2C). Responsys gives every Business their own "private IP" to use the system in a private way. Business are not sharing IP with other companies.)<u></u><br /> <u><br /></u> <u>How did I found this bug?</u><br /> <br /> Well as usual I was looking for bugs and I note that Facebook was sending me developer emails from the subdomain <a href="mailto:fbdev@em.facebookmail.com">em.</a>facebookmail.com. For example on my inbox, I had emails from <a href="mailto:fbdev@em.facebookmail.com">fbdev@em.facebookmail.com</a> <br /> <br /> This got me interested on the subdomain <a href="https://l.facebook.com/l.php?u=http%3A%2F%2Fem.facebookmail.com%2F&amp;h=ATNaWw8WD7lkICpdnaFmnbJ2TNNOeYZh_Bx8cK_Mv5riO4jyk9q7kku16XGujiaJkEt2Y_iuQb7Fhvm2J6PRYOXrhn8YyjxkkM-J9-tSEseZux0ckMHE9PbpmkdHjt-3pSaSqsqoAQ&amp;s=1">em.facebookmail.com</a> and after a quick DIG I note that this subdomain was connected to "Responsys" which I had previously seen in other Pentests<br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkPkUEYjl5U9bQ6ixZMGGZUfo5uR9Q8nVTEQchVpvvxejk7amGJCbaaVGrYbxXeAY7JQw_mla4exhfhzSd8CLS8RloM_XP8ieoukzp7Fd9YKVTCK6baV6IkLDWNDZcymgbeyt3lSq5VMXf/s1600/Screen+Shot+2017-05-17+at+5.29.29+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkPkUEYjl5U9bQ6ixZMGGZUfo5uR9Q8nVTEQchVpvvxejk7amGJCbaaVGrYbxXeAY7JQw_mla4exhfhzSd8CLS8RloM_XP8ieoukzp7Fd9YKVTCK6baV6IkLDWNDZcymgbeyt3lSq5VMXf/s640/Screen+Shot+2017-05-17+at+5.29.29+PM.png" width="640" /></a></div> <br /> Responsys is providing <a href="https://l.facebook.com/l.php?u=http%3A%2F%2Fem.facebookmail.com%2F&amp;h=ATNaWw8WD7lkICpdnaFmnbJ2TNNOeYZh_Bx8cK_Mv5riO4jyk9q7kku16XGujiaJkEt2Y_iuQb7Fhvm2J6PRYOXrhn8YyjxkkM-J9-tSEseZux0ckMHE9PbpmkdHjt-3pSaSqsqoAQ&amp;s=1">em.facebookmail.com</a> with the email services as you can see above. The original link I found in my inbox was something like this:<br /> <br /> <i>http://em.facebookmail.com/pub/cc?_ri_=X0Gzc2X%3DWQpglLjHJlYQGkSIGbc52zaRY0i6zgzdzc6jpzcASTGzdzeRfAzbzgJyH0zfzbLVXtpKX%3DSRTRYRSY&amp;_ei_=EolaGGF4SNMvxFF7KucKuWNhjeSKbKRsHLVV55xSq7EoplYQTaISpeSzfMJxPAX8oMMhFTpOYUvvmgn-WhyT6yBDeImov65NsCKxmYwyOL0.</i><br /> <br /> I note that the parameter "<i>_ri_=</i>" is required in order to generate a valid request. And after a bit of testing around, I found that the system was not correctly handling double URL Encoding and using a correct value at the parameter "_ri_"&nbsp; I could inject <i>"%252fetc%252fpasswd"</i> into the URL path. <br /> <br /> This was not properly sanitized and was allowing directory traversal characters to be injected and with this retrieve internal files from the affected server.<br /> <br /> <u>An example of the Vulnerable URL:</u><br /> <br /> <i>http://em.facebookmail.com/pub/sf/%252fetc%252fpasswd?_ri_=X0Gzc2X%3DYQpglLjHJlYQGrzdLoyD13pHoGgHNjCWGRBIk4d6Uw74cgmmfaDIiK4za7bf4aUdgSVXMtX%3DYQpglLjHJlYQGnnlO8Rp71zfzabzewzgLczg7Ulwbazahw8uszbNYzeazdMjhDzcmJizdNFCXgn&amp;_ei_=Ep0e16vSBKEscHnsTNRZT2jxEz5WyG1Wpm_OvAU-aJZRZ_wzYDw97ETX_iSmseE</i><br /> <br /> <br /> Soon as I saw the vulnerability I knew that this LFI was not only affecting Facebook but also many other companies. All of them using different Private IPs provided by Responsys.<br /> <br /> A quick Google Search show me other affected companies with this same bug.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVdQTJIYc9ElMfzwD8gnk5VjitZ39KwKkloV66ruvbt6EWj1amOGzb_rDeI4TL-vKaszoi7tH2ZDeQEyzevYPbbvigBakRvBrZOVnTP_WzsB8PvdNZwiy1OkIFAHP_axItuPFnJZ1y77D9/s1600/Screen+Shot+2017-05-17+at+5.44.45+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVdQTJIYc9ElMfzwD8gnk5VjitZ39KwKkloV66ruvbt6EWj1amOGzb_rDeI4TL-vKaszoi7tH2ZDeQEyzevYPbbvigBakRvBrZOVnTP_WzsB8PvdNZwiy1OkIFAHP_axItuPFnJZ1y77D9/s640/Screen+Shot+2017-05-17+at+5.44.45+PM.png" width="569" /></a></div> <br /> <br /> Copying a valid value from the parameter _ri_ to the target company I could retrieve internal information using the same technique.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtpXjUKrsAgJnmBJ4NYpOaqpxIYa2oDNw5KPEPPJX-9n6k60j8GLMCLsgL2LSmhototLbtuX9BPFXoKjQXtjdx5d52texus9B2cvZ8Eu17dhJBVqY-2UcM_D5cC8lyBxyJxePcxZOkKSJt/s1600/linkedin.com.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtpXjUKrsAgJnmBJ4NYpOaqpxIYa2oDNw5KPEPPJX-9n6k60j8GLMCLsgL2LSmhototLbtuX9BPFXoKjQXtjdx5d52texus9B2cvZ8Eu17dhJBVqY-2UcM_D5cC8lyBxyJxePcxZOkKSJt/s640/linkedin.com.png" width="640" /></a></div> <br /> <br /> <br /> The impacts of exploiting a Local File Inclusion (LFI) vary from information disclosure to complete compromise of the systems. In this case the impact it worst because one vulnerability affected multiple companies data.<br /> <br /> I report this bug to Oracle and the bug got fixed within a week.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKMKviAKemMEQMEWTq_zv5wij3wq6SeBjiSissmt_Sb6F16mtE-jVPe3g339_38Adi_H-yz7VaJbf4OWf1hvgGCp4wWN6RPpJmyTWw2JXtdXmkFPDchHHkJCam5ZQNvH-PTISngCxLOq2x/s1600/Screen+Shot+2017-05-17+at+6.49.55+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKMKviAKemMEQMEWTq_zv5wij3wq6SeBjiSissmt_Sb6F16mtE-jVPe3g339_38Adi_H-yz7VaJbf4OWf1hvgGCp4wWN6RPpJmyTWw2JXtdXmkFPDchHHkJCam5ZQNvH-PTISngCxLOq2x/s640/Screen+Shot+2017-05-17+at+6.49.55+PM.png" width="640" /></a></div> <br /> <br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-91890381917261543292017-04-17T15:47:00.001-07:002017-04-17T16:04:39.450-07:00Stored XSS at Google firebase via Google Cloud IAM<div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif; font-size: 13px;">Google Firebase demo console platform was allowing an attacker to store an XSS under the project name. </span><span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;">This vulnerability was created on the main page of the select project.&nbsp;</span><br /> <br /> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><span style="font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;">-</span> </span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> </div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif; font-size: 13px;">"The Firebase demo project is a standard Firebase project with fully functioning Analytics, Crash Reporting, Test Lab, Notifications, Google Tag Manager and Remote Config features. Any Google user can access it. It’s a great way to look at real app data and explore the Firebase feature set."&nbsp;</span><span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><i><a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://support.google.com/firebase/answer/7157552&amp;source=gmail&amp;ust=1492553800746000&amp;usg=AFQjCNGsIPyWJnXg5N3ZVrUJcTiB9vQoGQ" href="https://support.google.com/firebase/answer/7157552" style="color: #1155cc;" target="_blank">https://support.google.c<wbr></wbr>om/firebase/answer/7157552</a></i></span><br /> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><i>- </i></span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><br /></span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;">Using Google IAM <span style="font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;">(</span><a href="http://console.cloud.google.com/">console.cloud.google.com</a>) was possible to create a payload and share it to the victim. Once the victim accepts the invitation at console.firebase.google.com the payload was rendered on the main project page.</span><span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"></span></span><br /> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><br /></span></span> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIP9K0uQQ7xDT3V9ZIIh8WgQC7_7dGe9SCZodnsHEsHNh-gZfZxkGlR23UAZwqEeUky8SCjEP816yETMAbr-YuAtpSericfXQdpEQ03Lv88LqoOvzhREX3BICwq6zsx8YBoY0XjpWy-7Gf/s1600/Screen+Shot+2017-01-15+at+7.19.42+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIP9K0uQQ7xDT3V9ZIIh8WgQC7_7dGe9SCZodnsHEsHNh-gZfZxkGlR23UAZwqEeUky8SCjEP816yETMAbr-YuAtpSericfXQdpEQ03Lv88LqoOvzhREX3BICwq6zsx8YBoY0XjpWy-7Gf/s640/Screen+Shot+2017-01-15+at+7.19.42+PM.png" width="640" /></a></div> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><br /></span></span> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijAkkbyYRL0tlz0r4wFDQ7LTE0CjC9LzFEAXbZmzG0nworlu8K-98iN7Bgr1W2UfWBZN-0FNREG4udj_MDTHPPsI8_WohrTbwUYBf9GHHpXX-n2OO4QD6Jw4eqgCvfgkjKnzjloN85xHSo/s1600/Screen+Shot+2017-01-15+at+7.21.35+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijAkkbyYRL0tlz0r4wFDQ7LTE0CjC9LzFEAXbZmzG0nworlu8K-98iN7Bgr1W2UfWBZN-0FNREG4udj_MDTHPPsI8_WohrTbwUYBf9GHHpXX-n2OO4QD6Jw4eqgCvfgkjKnzjloN85xHSo/s640/Screen+Shot+2017-01-15+at+7.21.35+PM.png" width="640" /></a></div> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><br /></span></span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> <br /> <b>Impact:</b></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> The attacker could share a project from "<a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=http://console.cloud.google.com&amp;source=gmail&amp;ust=1492553800746000&amp;usg=AFQjCNGQZqU1cmwnmZMk5GH96ne2tKqC1A" href="http://console.cloud.google.com/" style="color: #1155cc;" target="_blank">console.cloud.google.com</a>" and store an XSS payload under<span class="Apple-converted-space">&nbsp;</span><a data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=http://console.firebase.google.com&amp;source=gmail&amp;ust=1492553800746000&amp;usg=AFQjCNFSBSMsSTTAzMOQSjU0M-sLrUcbdg" href="http://console.firebase.google.com/" style="color: #1155cc;" target="_blank">console.firebase.google.com</a>. This stored payload was been rendered every time the victim access the project page.<br /> <br /></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> </div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> <b>Bug Status:</b><br /> I report this bug to Google Security and they reward me and patch the bug within a week. I like to thanks, Google security team for the quick response and reward.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaqF1FuYC8X_pQEDMcP_8fJIAkpcs1SnXymOiwa5yGqd4teYnA09ZxuxZKLio0EFCJZ5_JLdx7N1keITPIi5dd_Aw8RHnic7M0JcvwjBhejd9ik-LQ4uIvBKx7OKLflNphBD1PLNIJtQSi/s1600/Screen+Shot+2017-04-17+at+7.54.39+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaqF1FuYC8X_pQEDMcP_8fJIAkpcs1SnXymOiwa5yGqd4teYnA09ZxuxZKLio0EFCJZ5_JLdx7N1keITPIi5dd_Aw8RHnic7M0JcvwjBhejd9ik-LQ4uIvBKx7OKLflNphBD1PLNIJtQSi/s640/Screen+Shot+2017-04-17+at+7.54.39+PM.png" width="640" /></a></div> </div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> <br /></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; text-align: center; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="color: #212121; font-family: &quot;roboto&quot; , &quot;helvetica neue&quot; , &quot;helvetica&quot; , sans-serif;"><b>Video POC:</b></span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial,sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; text-align: center; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </div> <div class="separator" style="clear: both; text-align: center;"> <iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/WZ8hIIkLJ8I/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/WZ8hIIkLJ8I?feature=player_embedded" width="320"></iframe></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> </div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> </div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"> </div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-66797170497347786352014-10-04T10:33:00.001-07:002014-10-04T14:57:43.889-07:00Store XSS on Main page of Flickr.com and Mobile Inteface<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;">Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo in 2005.&nbsp;</span></span><br /> <span style="font-family: Arial,Helvetica,sans-serif;"><br /></span> <span style="font-family: Arial,Helvetica,sans-serif;"><span style="background-color: white; color: #252525; display: inline ! important; float: none; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily.</span><span style="background-color: white; color: #252525; display: inline ! important; float: none; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span class="Apple-converted-space"><sup> </sup></span>In August 2011 the site reported that it was hosting more than 6 billion images and this number continues to grow steadily according to reporting sources.</span></span><br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><br /></span> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">I start doing my security research on </span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">flickr.com and I found some cool bugs but this XSS was my favorite because the XSS was showing on </span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Flickr</span> main page and on the Mobile interface at m.</span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">flickr.com.</span>&nbsp;</span><br /> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Affecting millions of users for sure..</span><br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><br /></span> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXsP9_PLfzUuHHJrxegFEBaUt_P5DYyjwCK6gKG4Lo0Piv0jKaZsuzcrS72-q_elxK_azdenHl1k8s3PluWaM43oJCqqSnSvDYrlwSa8Cf5cf-jym-dfAsRSUacvvT73It138iM1jzI_Yv/s1600/m.flickr-comXSS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXsP9_PLfzUuHHJrxegFEBaUt_P5DYyjwCK6gKG4Lo0Piv0jKaZsuzcrS72-q_elxK_azdenHl1k8s3PluWaM43oJCqqSnSvDYrlwSa8Cf5cf-jym-dfAsRSUacvvT73It138iM1jzI_Yv/s1600/m.flickr-comXSS.png" />&nbsp;</a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">This attack works by inviting the Victim to a group. The XSS&nbsp; loads when the victim get notify about a group invitation. Making this XSS very dangerous and perfect to target specific people or </span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">people in general.</span><br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><br /></span> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX833VqYW7q-gFjl4Ef7ryj3MwrwdVsENh35uUcWuwzyLGIqp-EavX_935pfYhbwkSfzitEqAUT8TNmRDRM4vILaVL0sI0E5mkj2uZoaxnYxvk3X8ZjiGbSgG66fQ7MtWrSZJGucicpW9W/s1600/Screen+Shot+2013-11-22+at+10.42.16+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX833VqYW7q-gFjl4Ef7ryj3MwrwdVsENh35uUcWuwzyLGIqp-EavX_935pfYhbwkSfzitEqAUT8TNmRDRM4vILaVL0sI0E5mkj2uZoaxnYxvk3X8ZjiGbSgG66fQ7MtWrSZJGucicpW9W/s1600/Screen+Shot+2013-11-22+at+10.42.16+PM.png" height="400" width="640" /></a></div> <br /> <br /> I report this two bugs to Yahoo Security team and I got two nice reward.<br /> <br /> Thanks Yahoo security Team!<br /> <br /> <br /> Video: Soon.<br /> <br /> <br /> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"></span><sup class="reference" id="cite_ref-5" style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; font-family: sans-serif; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; unicode-bidi: -webkit-isolate; white-space: normal; widows: auto; word-spacing: 0px;"><a href="http://en.wikipedia.org/wiki/Flickr#cite_note-5" style="background: none; color: #0b0080; text-decoration: none; white-space: nowrap;"> </a></sup><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; display: inline !important; float: none; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.3999996185303px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> </span><sup class="reference" id="cite_ref-10" style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; font-family: sans-serif; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; unicode-bidi: -webkit-isolate; white-space: normal; widows: auto; word-spacing: 0px;"><a href="http://en.wikipedia.org/wiki/Flickr#cite_note-10" style="background: none; color: #0b0080; text-decoration: none; white-space: nowrap;"></a></sup>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-21657438558287165252014-05-20T05:52:00.003-07:002014-05-20T07:20:29.990-07:00Store XSS on Shopping Express Checkout [Reward]<div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;"><b>Google Shopping Express</b><span class="Apple-converted-space">&nbsp;</span>is a same-day shopping service ("shop local stores online and get items delivered on the same day") from<span class="Apple-converted-space">&nbsp;</span>Google<span class="Apple-converted-space">&nbsp;</span>that was launched on a free trial basis in<span class="Apple-converted-space">&nbsp;</span>San Francisco<span class="Apple-converted-space">&nbsp;</span>and<span class="Apple-converted-space">&nbsp;</span>Silicon Valley<span class="Apple-converted-space">&nbsp;</span>in spring 2013 and publicly in September that year.</span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <br /> <span style="font-size: small;">This store XSS was showing at "Shopping Express Checkout" <span style="background-color: white; color: #222222; display: inline ! important; float: none; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span class="Apple-converted-space">and by adding payload on the parameter "City" in </span></span>wallet.google.com I could bypass restrictions and trigger this XSS back on Google Checkout.</span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <br /> <span style="font-size: small;">Image of Proof:</span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.399999618530273px; margin: 0.5em 0px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYQUqMU5k6pEefmdX-2vy41sHEPc-FLy26PCaoJpTDn8euo0qwqQ3P8NfxC_hpYsq-686C1a91dXk82BETlsGMpdZBm1RbFl5DN3LTZu8XQZd7xUQTlXUe46ImrJdTkAvJwHHsaP8WBQka/s1600/Screen-Shot-2014-05-09-at-12.26.01-AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYQUqMU5k6pEefmdX-2vy41sHEPc-FLy26PCaoJpTDn8euo0qwqQ3P8NfxC_hpYsq-686C1a91dXk82BETlsGMpdZBm1RbFl5DN3LTZu8XQZd7xUQTlXUe46ImrJdTkAvJwHHsaP8WBQka/s1600/Screen-Shot-2014-05-09-at-12.26.01-AM.png" height="400" width="640" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <br /> <span style="font-size: small;">This XSS was trigger just before paying pretty handy don't you think?</span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;"><br /></span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;">Well I report this to Google Security Team and they reply very quick. Fixing this bug within a week:</span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.399999618530273px; margin: 0.5em 0px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiimX47_n94dgm32LijQdDIv8jGEv6v9CCmoldlZxOXQpCHNIMdbjrR2I3XFfgn6yGbJ0l0A6bW2EiO3lKUy6zs8Z8Wb_71HvEWDxCxxHJUX3V3fBdeZEfIdutd3ZCPudESaS68GW0IeW1F/s1600/Screen+Shot+2014-05-20+at+8.04.18+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiimX47_n94dgm32LijQdDIv8jGEv6v9CCmoldlZxOXQpCHNIMdbjrR2I3XFfgn6yGbJ0l0A6bW2EiO3lKUy6zs8Z8Wb_71HvEWDxCxxHJUX3V3fBdeZEfIdutd3ZCPudESaS68GW0IeW1F/s1600/Screen+Shot+2014-05-20+at+8.04.18+AM.png" height="374" width="640" /></a></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.399999618530273px; margin: 0.5em 0px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> <br /></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;"><br /></span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;"><br /></span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;">I'm very happy to be back on Google <a href="http://www.google.com/about/appsecurity/hall-of-fame/reward/">Hall of Fame</a> and I like to thanks Google Security Team for the reward.</span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;"><br /></span></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <span style="font-size: small;">I create a video reproducing this XSS:</span><br /> <br /></div> <div style="background-color: white; color: #252525; font-family: sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 22.4px; margin: 0.5em 0px; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <div class="separator" style="clear: both; text-align: center;"> <object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="https://i1.ytimg.com/vi/_McdQrJ6jdA/0.jpg" height="266" width="320"><param name="movie" value="https://www.youtube.com/v/_McdQrJ6jdA?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="https://www.youtube.com/v/_McdQrJ6jdA?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div> <span style="font-size: small;"><br /></span></div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-71598993465808369522014-05-11T16:13:00.000-07:002014-05-11T19:47:49.382-07:00Bypass Flash Same Origin Policy with Add-On<span id="goog_1465796277"></span><span id="goog_1465796278"></span><br /> The <b>same-origin policy</b> is an important concept in the web application security model. The policy permits scripts running on pages originating from the same site.<br /> <br /> I found that users using FlashFirebug&nbsp; are vulnerable to <b>same-origin policy</b> bypass. This Firefox add-ons <b>create a files</b><b> on the Flash Player Trust directory</b> disallowing <b>same-origin policy.</b><br /> <br /> <br /> For this example I will use Facebook Video preview box to trigger this Flash XSS. (Fortunately Faceboook use attachment.fbsbx.com )<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNiNbXUSzMiHQtkNyS4a1CT-yDBsi428vHjyOF5-IChMGKpEJvNwlt_00m4uotxueQt_FuBi8_0576e-zZcc8fn24J4fEMrqF92MAz7zQk3TYEZOZ5vAztkUzVsFE65L1eL2CIbssN0EfY/s1600/Screen+Shot+2014-03-21+at+12.45.13+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNiNbXUSzMiHQtkNyS4a1CT-yDBsi428vHjyOF5-IChMGKpEJvNwlt_00m4uotxueQt_FuBi8_0576e-zZcc8fn24J4fEMrqF92MAz7zQk3TYEZOZ5vAztkUzVsFE65L1eL2CIbssN0EfY/s1600/Screen+Shot+2014-03-21+at+12.45.13+AM.png" height="400" width="640" /></a></div> <br /> By using a Flash XSS plus having FlashFirebug install on the Victim Firefox I can trigger this XSS and bypass Same Origin Policy<br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; display: inline !important; float: none; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 12.727272033691406px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 18.176362991333008px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"></span> <br /> <br /> <br /> I report this to Facebook and this was the response:<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmFWS-L-X0zoXAR3wlayT9iUSoyRdof0JQXEPZdtVvCQbjg7aXq0nbdlH1cO6uoC7NzkcK9YbqcfPhFHmp5CaPcTb5ZR3WskiozMbuV3Nlz_9tCHKfj0dZ9hGKmWxYAZVRM_rWMq9mgrWZ/s1600/Screen+Shot+2014-05-11+at+3.34.49+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmFWS-L-X0zoXAR3wlayT9iUSoyRdof0JQXEPZdtVvCQbjg7aXq0nbdlH1cO6uoC7NzkcK9YbqcfPhFHmp5CaPcTb5ZR3WskiozMbuV3Nlz_9tCHKfj0dZ9hGKmWxYAZVRM_rWMq9mgrWZ/s1600/Screen+Shot+2014-05-11+at+3.34.49+PM.png" height="444" width="640" /></a></div> <br /> <br /> <br /> And me as a good bounty hunter I report to Adobe:<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYYBWrTAXYZAkQdA2WFFo5VJWA62POPZEkh0TWdyqpd2bLfX6LQC1q_8oMW79I4hJXtVYRLCYWHLyBUzXhtZwgXniTdl5PhNSMCQh-p4-UUuOh1f0JkAlSLqXgFV7GvRFHssvZKhERer1S/s1600/Screen+Shot+2014-05-11+at+3.38.29+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYYBWrTAXYZAkQdA2WFFo5VJWA62POPZEkh0TWdyqpd2bLfX6LQC1q_8oMW79I4hJXtVYRLCYWHLyBUzXhtZwgXniTdl5PhNSMCQh-p4-UUuOh1f0JkAlSLqXgFV7GvRFHssvZKhERer1S/s1600/Screen+Shot+2014-05-11+at+3.38.29+PM.png" /></a></div> <br /> <br /> <br /> After doing a bit of looking I found that o-minds.com have a report bug page and here is their response: <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvLhNIZPwxO0JIKVuuE9glaYpf_mN2TVMCyQQPkfPl3pS7nzyoqTjEuChpUags9GklCVOabcbFeL-Ukd1OyDT5FLow7N7XyqRWF-s6IUyDb1l0R9wyVpM7Q7P3PD7ujNx8cY-HkLFaeEhE/s1600/Screen+Shot+2014-05-11+at+6.08.22+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvLhNIZPwxO0JIKVuuE9glaYpf_mN2TVMCyQQPkfPl3pS7nzyoqTjEuChpUags9GklCVOabcbFeL-Ukd1OyDT5FLow7N7XyqRWF-s6IUyDb1l0R9wyVpM7Q7P3PD7ujNx8cY-HkLFaeEhE/s1600/Screen+Shot+2014-05-11+at+6.08.22+PM.png" height="218" width="640" /></a></div> <br /> <br /> &nbsp;I reply to them and after that I didn't receive a response.<br /> <br /> <br /> My conclusion:<br /> External Addons can bypass Flash "Same Origin Policy" by adding a files to flash trust directory allowing all Script Access ignoring the Same Origin Policy and this happen without the user knowledge.<br /> <br /> <br /> Video Poc:<br /> <br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="https://i1.ytimg.com/vi/_Em0rkap_Gw/0.jpg" height="266" width="320"><param name="movie" value="https://www.youtube.com/v/_Em0rkap_Gw?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="https://www.youtube.com/v/_Em0rkap_Gw?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div> <br /> <br /> <br /> Status:<br /> <br /> This bug still works and apparently is not geting fixed soon.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-45833159728354455722013-10-16T06:19:00.001-07:002013-10-16T06:27:15.397-07:00Dangerous Persistent XSS at Here.com [FIX]&nbsp;Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.<br /> <br /> &nbsp;HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood.<br /> <br /> With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS.<br /> <span style="color: #222222;"><span style="font-family: arial, sans-serif;">I report a <span style="color: orange;"><a href="http://panchocosil.blogspot.com/2013/07/dangerous-xss-at-wazecom.html">similar bug to Waza.com a few months ago</a>.&nbsp; </span></span></span><br /> <span style="color: #222222;"><span style="font-family: arial, sans-serif;"><br /></span></span> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2V5psSlJXD4OHpgGU4HmWUIHNbkY6i-TbD_hIhs1mg_ItIt65AUSn2Qdw9BqQZXfLG83Bp135m59p1pIzFJtqCHKT8cOSBCSJ1o7lJWYzEuGKGRU1gjpRr-UoyoBdVxIn6VS63SqLC5FT/s1600/Screen+Shot+2013-09-23+at+8.34.36+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2V5psSlJXD4OHpgGU4HmWUIHNbkY6i-TbD_hIhs1mg_ItIt65AUSn2Qdw9BqQZXfLG83Bp135m59p1pIzFJtqCHKT8cOSBCSJ1o7lJWYzEuGKGRU1gjpRr-UoyoBdVxIn6VS63SqLC5FT/s640/Screen+Shot+2013-09-23+at+8.34.36+PM.png" width="640" /></a></div> <br /> <br /> Nokia Reponse:<br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVrO6aEr-UQBQV2sKIxvgJqi6q0TxZdWuJrNdMXLOOWUUMDsZPkcMFtf5zp3fe_CPB_isrigVXvCyJqCl48k-0x4n5aUJbqaLcPEqkE7-zheVydYRMB7D3rvMzMNTGFGt_vjngn3-Pja2O/s1600/Screen+Shot+2013-10-16+at+9.37.47+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVrO6aEr-UQBQV2sKIxvgJqi6q0TxZdWuJrNdMXLOOWUUMDsZPkcMFtf5zp3fe_CPB_isrigVXvCyJqCl48k-0x4n5aUJbqaLcPEqkE7-zheVydYRMB7D3rvMzMNTGFGt_vjngn3-Pja2O/s640/Screen+Shot+2013-10-16+at+9.37.47+AM.png" width="640" />&nbsp;</a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> Thanks to Nokia for starting this <a href="http://www.nokia.com/global/security/acknowledgements/">bug bounty program</a>.</div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-76014689383761427272013-10-15T18:36:00.002-07:002013-10-15T18:38:19.959-07:00FLASH XSS AT ATT.COM [FIX]I found a Flash XSS at AT&amp;T main domain where an attacker could stealing credentials of users.<br /> <div> <br /> <div> Vuln URL:</div> <div> <br /></div> <a href="http://www.att.com/media/en_US/scripts/JSAM/JSAM_VideoPlayer.swf?completeHandler=JSAM.flashCompleteHandler);}catch(e)%20{alert(document.cookie);}//&amp;source=https://www.wireless.att.com/home/video_progressive/video_marquees/B2CNDA-24-emerald-hp-marquee-bkd.mp4">http://www.att.com/media/en_US/scripts/JSAM/JSAM_VideoPlayer.swf?completeHandler=<span style="color: orange;">JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}//</span>&amp;source=https://www.wireless.att.com/home/video_progressive/video_marquees/B2CNDA-24-emerald-hp-marquee-bkd.mp4</a></div> <div> <br /> Payload: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}//<br /> <br /> <div> Flash Vuln Code:<br /> <blockquote class="tr_bq"> public function videoPlayer_completeHandler(_arg1:VideoEvent):void{ if (ExternalInterface.available){ ExternalInterface.call(completeHandler, ExternalInterface.objectID); } else { trace("JSAM_VideoPlayer cannot call completeHandler because ExternalInterface is not available."); }; }</blockquote> </div> <div> <br /></div> <div> Proof:</div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtc8fDsn7n7a7aC3rq4jUqflAPZ4fiHymZ3jBWIy0MpDMYiOk52oMSk1EWiENL8WJC_t9zsVNz_IBByuwJ4SWqJ4BgzbmKm2-TzapaZGALwBVJGVVM-l9U27PZNmy8O1c_kBeA448ZbKIi/s1600/Screen+Shot+2013-08-19+at+5.29.54+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtc8fDsn7n7a7aC3rq4jUqflAPZ4fiHymZ3jBWIy0MpDMYiOk52oMSk1EWiENL8WJC_t9zsVNz_IBByuwJ4SWqJ4BgzbmKm2-TzapaZGALwBVJGVVM-l9U27PZNmy8O1c_kBeA448ZbKIi/s640/Screen+Shot+2013-08-19+at+5.29.54+PM.png" width="640" /></a></div> <div> <br /></div> <div> After 2 months AT&amp;T Response:</div> <div> <br /></div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX0Vb7iin2EBaBn80iSupPbsnt82Tff7_BZXCe-CX0WSC_JzCZFHpn1UShxis3GXTxowALR4jAIDLnNvUw6IcRJTi7QjBHPRXaEJ61JWFg4iGUTKAfmsYBWbPFXIO7u_xrhj8C9614vzAy/s1600/Screen+Shot+2013-10-15+at+10.30.47+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX0Vb7iin2EBaBn80iSupPbsnt82Tff7_BZXCe-CX0WSC_JzCZFHpn1UShxis3GXTxowALR4jAIDLnNvUw6IcRJTi7QjBHPRXaEJ61JWFg4iGUTKAfmsYBWbPFXIO7u_xrhj8C9614vzAy/s640/Screen+Shot+2013-10-15+at+10.30.47+PM.png" width="640" /></a></div> <div> <br /></div> <div> <br /></div> <div> <b>I hope to be on the top 10 Award :)</b></div> </div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-87291695854641650522013-09-26T07:38:00.000-07:002013-09-26T20:45:57.879-07:00SQL Injection at Movistar.es [FIX]<br /> <b>Movistar</b> is a major Spanish mobile phone operator owned by TelefĂ³nica S.A. operating in Spain and in many Latin American countries. It is the largest carrier in Spain with 22 million customers (cellphone services only)<br /> <br /> I found this MSSQL Injection. By Adding ' WAITFOR DELAY '0:0:20'-- getting a positive response of 20-second delay. Proving this parameter SEOname is Vulnerable to SQL INJECTION.<br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlwJ9fHJt5CsL2y-FbsMRqqWb7-Eemir2igcOPytIjK9IOOtOb7588X1F-Zy0aizf26dc5ExpmLLpGUeTHrH4zUcdzd3FMBYAwjZUj-jGOeXFv5QYDj2I5cTJKinsWdkDo19kGexlYoPOn/s1600/ERROR-MOVISTAR.ES.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlwJ9fHJt5CsL2y-FbsMRqqWb7-Eemir2igcOPytIjK9IOOtOb7588X1F-Zy0aizf26dc5ExpmLLpGUeTHrH4zUcdzd3FMBYAwjZUj-jGOeXFv5QYDj2I5cTJKinsWdkDo19kGexlYoPOn/s640/ERROR-MOVISTAR.ES.png" width="640" /></a></div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJDH0ld3oIrpsBFKlmRnb_-z-vcpmyeYGiKZ1CqKCuVfjT6AaAGKH23dsazgFhywAcF2sokoup-WxuLO5BvdOQxkqZeNaGk1su5uuboXWn06F6tx8oYuI_13RKkFZWfPkBNanXVNZPm6lw/s1600/20sec.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJDH0ld3oIrpsBFKlmRnb_-z-vcpmyeYGiKZ1CqKCuVfjT6AaAGKH23dsazgFhywAcF2sokoup-WxuLO5BvdOQxkqZeNaGk1su5uuboXWn06F6tx8oYuI_13RKkFZWfPkBNanXVNZPm6lw/s640/20sec.png" width="640" /></a></div> <br /> I Report this to&nbsp;Movistar&nbsp;and they reply and FIX quick :)<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHXLYUlojM5C19zkN0BNHE35lxKKym5NnOhBQLJFiiB9wb2INdfoinLT9tpFGb4DG2Ug7uZkB8wi9V18scIar-9loqdTEAUaumWH41xztCZgSAYQuc0d8OBVcIs5wprNb7AOMNcIcLe6Z5/s1600/Screen+Shot+2013-09-26+at+11.23.04+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHXLYUlojM5C19zkN0BNHE35lxKKym5NnOhBQLJFiiB9wb2INdfoinLT9tpFGb4DG2Ug7uZkB8wi9V18scIar-9loqdTEAUaumWH41xztCZgSAYQuc0d8OBVcIs5wprNb7AOMNcIcLe6Z5/s400/Screen+Shot+2013-09-26+at+11.23.04+AM.png" width="400" /></a></div> <br /> <br /> Great job Movistar! Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-80547256226304061492013-09-25T09:20:00.003-07:002013-09-25T10:56:32.862-07:00SQL Injection at archive.org [Fix]<br /> The Internet Archive allows the public to upload and download digital material to its data cluster, but the bulk of its data is collected automatically by its web crawlers, which work to preserve as much of the public web as possible. Its web archive, The Wayback Machine, contains over 150+ billion web captures.<br /> <br /> &nbsp;Looking at archive.org I found a cool MySql Injection on the user panel. Using " and "1"="1"#&nbsp;instead of &nbsp;' and '1'='1'#<br /> <br /> I did this by updating my nickname to 1" and "1"="1" union select version(0)# geting the version of mysql successfully.<br /> <br /> Vulnerable URL:<br /> https://archive.org/account/?screenname=1"+and+"1"="1"+union+select+version(0)#&amp;action=change-screenname&amp;submit=Change<br /> <br /> I report this to archive.org and I never have a&nbsp;reply. After 4 months they fix it.<br /> <br /> <br /> Proof:<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9fXiKwoqmgO1ohOW8_86MEfWA7qS4WfRNEXTgxZUsnKI3PQTAXhotSAiO9SQTa7sL2QWN_7R7fMSKnptbE7Ktww8qbw9MIYm23cRA62Eohkm-vFJGumOIEL4dCIpAeEnZJmRf5rI6uPEb/s1600/Sql-Injetion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9fXiKwoqmgO1ohOW8_86MEfWA7qS4WfRNEXTgxZUsnKI3PQTAXhotSAiO9SQTa7sL2QWN_7R7fMSKnptbE7Ktww8qbw9MIYm23cRA62Eohkm-vFJGumOIEL4dCIpAeEnZJmRf5rI6uPEb/s400/Sql-Injetion.png" width="400" /></a></div> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2b0ixgymZjshZfIkLraB7073n8OTDtjkRTXJttphQQDoKEtP9grhRjmCl0ZU6Wt8stAFacfGX-7UxgIGzIk_xjqTkajwsrcBuvWVkp03UdLtNfW1hGGv6nVHAQtX185bcIWBkCFi9bvhm/s1600/Sql-Injetion-positive.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2b0ixgymZjshZfIkLraB7073n8OTDtjkRTXJttphQQDoKEtP9grhRjmCl0ZU6Wt8stAFacfGX-7UxgIGzIk_xjqTkajwsrcBuvWVkp03UdLtNfW1hGGv6nVHAQtX185bcIWBkCFi9bvhm/s640/Sql-Injetion-positive.png" width="640" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> A simple thank you would be nice.</div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-68438538717049271842013-07-24T11:06:00.001-07:002013-07-24T11:17:21.497-07:00Sql Injection in Apple and Ubuntu - Apology emails...<br /> This week I got two emails one from Apple and an other one from Ubuntu saying:<br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho3SbgLmfQ0Sac6T9i0yKueycj4M1Osc9D2Ho6w_L14MYOl_zKuEwJiRNYbo7_yF8Lm3cM-Mk0GKAlQyqyZBlUqLyGQEkVfU_78FNb_XgFBF1eBR2XT-VYJNNgj1AmUyj-RNAp22jEbxcE/s1600/Screen+Shot+2013-07-24+at+1.32.33+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="435" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho3SbgLmfQ0Sac6T9i0yKueycj4M1Osc9D2Ho6w_L14MYOl_zKuEwJiRNYbo7_yF8Lm3cM-Mk0GKAlQyqyZBlUqLyGQEkVfU_78FNb_XgFBF1eBR2XT-VYJNNgj1AmUyj-RNAp22jEbxcE/s640/Screen+Shot+2013-07-24+at+1.32.33+PM.png" width="640" /></a></div> <br /> <br /> --<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_DPojLQ4cSrkAwD6br4JVxBINMVcofxruKchk1WxchUl6eqLFyAOeU7_OB21-nDHu9aTvJJd_prMh9xwGzV5wemCG1dKl75uo5pSUy6wA12AFn9M9W2b8F5VNgI4-dKY-91Wa21k_S6Ei/s1600/Screen+Shot+2013-07-24+at+1.31.50+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_DPojLQ4cSrkAwD6br4JVxBINMVcofxruKchk1WxchUl6eqLFyAOeU7_OB21-nDHu9aTvJJd_prMh9xwGzV5wemCG1dKl75uo5pSUy6wA12AFn9M9W2b8F5VNgI4-dKY-91Wa21k_S6Ei/s640/Screen+Shot+2013-07-24+at+1.31.50+PM.png" width="640" /></a></div> <br /> <br /> <br /> Now all users have to change there passwords. Even I... Maybe in the future they will care more about their security. <br /> <div style="text-align: center;"> <br /></div> <div style="text-align: center;"> <br /></div> <div style="text-align: center;"> &nbsp;This is why all companies should have a <a href="http://bugcrowd.com/list-of-bug-bounty-programs/">Bug Bounty Program</a><br /> <br /> <br /></div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-52923408490640614442013-07-17T06:23:00.000-07:002013-07-19T11:01:23.142-07:00Highly XSS at Google Hangouts (Reward)<br /> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">First of all I like to said this XSS it's stored on Google "sandbox" and it impossible to grap Cookies.</span><br /> <br style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">But its possible to send it to an other user using "Google Art Project Add-ons" at<span class="Apple-converted-space"> </span></span><a href="https://plus.google.com/hangouts/_/" style="-webkit-text-stroke-width: 0px; background-color: white; color: #1155cc; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" target="_blank">https://plus.google.com/<wbr></wbr>hangouts/_/</a><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span class="Apple-converted-space">.&nbsp;</span></span><br /> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span class="Apple-converted-space">Hangouts allows users to hold conversations between two or more users. The service can be accessed online through the Gmail or Google+ websites, or through mobile apps available for Android and iOS (which were distributed as a successor to their existing Google Talk apps).</span></span><br /> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">This Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically when an modify art project it's share to the Victim using hangouts add-ons.<span class="Apple-converted-space">&nbsp;</span></span><br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">(like showing under)</span><br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPlmsmw_nAC67zKwwPhIgOOoTG-dcju2gdfOK7f6YvYRRnxd1Skv4W-ErBLfPH6KK51bTy0zy15cr1bEjIbSJfIsUj1GaO6ylqIaau0nsxqVSACMXN0wrY3OY2UXKfC8uH0qoMwDBZRZYu/s1600/Screen+Shot+2013-07-05+at+7.27.33+PM.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPlmsmw_nAC67zKwwPhIgOOoTG-dcju2gdfOK7f6YvYRRnxd1Skv4W-ErBLfPH6KK51bTy0zy15cr1bEjIbSJfIsUj1GaO6ylqIaau0nsxqVSACMXN0wrY3OY2UXKfC8uH0qoMwDBZRZYu/s400/Screen+Shot+2013-07-05+at+7.27.33+PM.bmp" width="400" /></a></div> <br /> <div style="text-align: center;"> <br /></div> <div style="text-align: center;"> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">(This is an Interactive Chat and can be easy use by anyone)<span class="Apple-converted-space">&nbsp;</span></span></div> <br style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" /> <br style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">I first modify the Art Protect I want to inject at &nbsp;</span><a href="http://www.google.com/culturalinstitute/project/art-project?hl=en" style="-webkit-text-stroke-width: 0px; background-color: white; color: #1155cc; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" target="_blank">http://www.google.com/<wbr></wbr>culturalinstitute/project/art-<wbr></wbr>project?hl=en</a><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span class="Apple-converted-space">&nbsp;</span></span><br /> <br style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Then using Google Art Project Add-ons on "Google Hangouts" I can share it to all users in the chat triggering the XSS.</span><br /> <br style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;" /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">(Below </span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Google Art</span> Injection Points)</span><br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOtNvcoBKrCAYPr2NeGIA_P2ESSQEhpyLU2JvILCqQ2RPbT0YsRwSKQumnuKmdq26rlUt12J2wYZTIvIR3Q2dm0nqT-DgV3li1xilZD3tihJ4OshLlAS3CgNiuUqW0wKOCl0OXmlN0kNjn/s1600/Screen+Shot+2013-07-09+at+2.12.57+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOtNvcoBKrCAYPr2NeGIA_P2ESSQEhpyLU2JvILCqQ2RPbT0YsRwSKQumnuKmdq26rlUt12J2wYZTIvIR3Q2dm0nqT-DgV3li1xilZD3tihJ4OshLlAS3CgNiuUqW0wKOCl0OXmlN0kNjn/s400/Screen+Shot+2013-07-09+at+2.12.57+PM.png" width="400" /></a></div> <br /> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">This attack can be use to publish user login cross site scripting attack or other malicious scripts.</span></span><br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"></span><br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">Google response:</span></span><br /> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaUPUwM5ptiBDoaJ53DAZSJgRKD1f_niSm2nABEWu-GYrXyujO8VKMPcLPCY862PS1fjBmdjTxnc75sLSl4bXY37d8KHkBsIH6WNwqM00p59AR9c393E2SIC8NSsjWlYV0Di3vZabmFrIJ/s1600/Screen+Shot+2013-07-16+at+10.49.59+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaUPUwM5ptiBDoaJ53DAZSJgRKD1f_niSm2nABEWu-GYrXyujO8VKMPcLPCY862PS1fjBmdjTxnc75sLSl4bXY37d8KHkBsIH6WNwqM00p59AR9c393E2SIC8NSsjWlYV0Di3vZabmFrIJ/s640/Screen+Shot+2013-07-16+at+10.49.59+PM.png" width="640" /></a></div> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><br /></span></span> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">I like to thanks Google again for this Reward.</span></span> <br /> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 13.333333969116211px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">&nbsp;</span> </span>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-13400064022548597462013-07-10T10:51:00.002-07:002013-07-10T12:59:49.583-07:00Google pay me $3.133USD!!<h3> &nbsp;</h3> <h3> Finally! I find the bug a was looking for!! last week looking at sketchup.google.com I find a flash file vulnerable to xss at parameter eventHandler</h3> <h3> &nbsp;</h3> <blockquote class="tr_bq"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPgLsQu1G9LnRB6wELM7tai9vHmPB7pDsO7fhlcjnAjKqpkt-vd3gwN0dQQjZ3dv9SAX0VZgbq4WIhpgzSKZniiPyTDmpwcVBZ_PQCXY6gAWWBg90xjpRm9ENUmoQ38E03R5tcEcdXtziQ/s1600/Screen+Shot+2013-07-10+at+3.25.03+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPgLsQu1G9LnRB6wELM7tai9vHmPB7pDsO7fhlcjnAjKqpkt-vd3gwN0dQQjZ3dv9SAX0VZgbq4WIhpgzSKZniiPyTDmpwcVBZ_PQCXY6gAWWBg90xjpRm9ENUmoQ38E03R5tcEcdXtziQ/s400/Screen+Shot+2013-07-10+at+3.25.03+PM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> </div> <br /></blockquote> <br /> with this was possible to get a positive XSS :)<br /> <br /> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8hsjQ8KI-rYt4ZQLhHv7u4MvwAf4dzlVXdcddACxXUTFiJcVZlEbMNYdFDEsX7F0LG7qO_nUva4-uUiKLLR6hg5ytEG9AWbYsg8GW4WhxeJQpGyUOXz8U8m7QL-PrCZTLJPGUAPlZnOOr/s1600/Screen+Shot+2013-07-07+at+6.56.21+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="387" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8hsjQ8KI-rYt4ZQLhHv7u4MvwAf4dzlVXdcddACxXUTFiJcVZlEbMNYdFDEsX7F0LG7qO_nUva4-uUiKLLR6hg5ytEG9AWbYsg8GW4WhxeJQpGyUOXz8U8m7QL-PrCZTLJPGUAPlZnOOr/s640/Screen+Shot+2013-07-07+at+6.56.21+PM.png" width="640" /></a></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> </div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <br /> <br /> <span style="font-size: small;">Google Response:</span><br /> <br /> </div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> </div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKA8M5Yky9l_ozZ_F7Pf4rF7otfgbg3VHXS71Nr50TV7G22dnh2myOhCKJWU8rTdqiLGkpiaZRwEDH-LaIKGRY7WKTMscIHXL1BOeMH9djY_zz0NaLokt3nOrPvstDe5tMZBpEAdRzxKXS/s1600/Screen+Shot+2013-07-10+at+10.28.36+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKA8M5Yky9l_ozZ_F7Pf4rF7otfgbg3VHXS71Nr50TV7G22dnh2myOhCKJWU8rTdqiLGkpiaZRwEDH-LaIKGRY7WKTMscIHXL1BOeMH9djY_zz0NaLokt3nOrPvstDe5tMZBpEAdRzxKXS/s640/Screen+Shot+2013-07-10+at+10.28.36+AM.png" width="640" /></a></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> </div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> <span style="font-size: small;">This is my first big reward and Im happy as. </span></div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <br /> <span style="font-size: small;">I like to thanks to google for starting this program. </span></div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> </div> <div style="background-color: white; color: #222222; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"> <br /> <span style="font-size: small;">Report:<span style="background-color: white; color: #222222; display: inline ! important; float: none; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: nowrap; word-spacing: 0px;">Fri, Jul 5, 2013 at 2:13 PM</span></span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> <span style="font-size: small;"><span style="background-color: white; color: #222222; display: inline ! important; float: none; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: nowrap; word-spacing: 0px;">Fix: </span></span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: nowrap; widows: auto; word-spacing: 0px;"><span style="font-size: small;"><span style="background-color: white; color: #222222; display: inline ! important; float: none; font-family: arial,sans-serif; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: nowrap; word-spacing: 0px;">Tues, Jul 9, 2013 at 9:00 AM</span></span> </span></div> <div style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"> <span style="-webkit-text-stroke-width: 0px; background-color: white; color: #222222; display: inline !important; float: none; font-family: arial, sans-serif; font-size: 12.800000190734863px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: nowrap; widows: auto; word-spacing: 0px;">&nbsp;</span> <br /> <div> <br /></div> </div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-70896789918024785452013-07-07T00:08:00.003-07:002013-07-07T17:29:18.072-07:00Dangerous XSS Persistent at Waze.com<h3> &nbsp;</h3> <h4> <span style="font-family: inherit;"><span style="font-weight: normal;"><span class="st">Waze is currently using its second generation map editing interface. Known as the Waze Map Editor (or WME for short), it is the default editor for Waze since September 19, 2011. This editor interface is internally code-named "Papyrus", and was functionally upgraded on April 21, 2013.</span>&nbsp;</span></span></h4> <h4> <span style="font-family: inherit;"><span style="font-weight: normal;">&nbsp;</span></span></h4> <h4> <span style="font-family: inherit;"><span style="font-weight: normal;">When adding an alternate city and street name was possible to inject a nice </span></span><span class="st"><i>XSS</i>.</span></h4> <div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsbMXzUkVYwjIBXRQl1csBoF8VaNhtrpah3zrrl0QLcifIBT3OG_ovmTZ-kT2ySdM3kBTuNHi5lgLFxRaxHGcL5VeRpjYNeUWQMYYOHdGms6t0DrYlaftact8CNjkkNRGBqoSBbkWMqe_3/s1600/Screen+Shot+2013-06-26+at+7.23.10+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsbMXzUkVYwjIBXRQl1csBoF8VaNhtrpah3zrrl0QLcifIBT3OG_ovmTZ-kT2ySdM3kBTuNHi5lgLFxRaxHGcL5VeRpjYNeUWQMYYOHdGms6t0DrYlaftact8CNjkkNRGBqoSBbkWMqe_3/s400/Screen+Shot+2013-06-26+at+7.23.10+PM.png" width="400" /></a></div> <br /></div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://pbs.twimg.com/media/BOdbQOQCIAEc50Y.png:large" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://pbs.twimg.com/media/BOdbQOQCIAEc50Y.png:large" width="400" /></a></div> <div> <br /> <div> If I save on the editor all users that click on the street get the XSS. </div> <div> <br /> <br /></div> </div> <div> Google Response:</div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo1ysPnWfLmr0_H9Db5F572zccolAwixiPk8ej-h-Wx54_ZadMxBglWdJsknd7vQui6D58__eHSlgcDDLFasOKMk_A3R7xEqI2LqIqj2JeY4fwbgI9ikgF5AbR20_7UkrLhTFj1uaRFIMu/s1600/Screen+Shot+2013-07-07+at+3.01.21+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo1ysPnWfLmr0_H9Db5F572zccolAwixiPk8ej-h-Wx54_ZadMxBglWdJsknd7vQui6D58__eHSlgcDDLFasOKMk_A3R7xEqI2LqIqj2JeY4fwbgI9ikgF5AbR20_7UkrLhTFj1uaRFIMu/s400/Screen+Shot+2013-07-07+at+3.01.21+AM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> Next time I will wait 6 months :)</div> <div> <br /></div> <div> Report: Wed, Jun 26, 2013 at 7:53 PM&nbsp;</div> <div> Fix: Tue, Jul 02, 2013 at 9:00 PM</div> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-67634958502451137512013-07-06T23:54:00.000-07:002013-07-07T17:35:09.027-07:00Swf file Preview at googlegroups.com<h4> <span style="font-family: inherit;"><span style="font-weight: normal;"><span style="font-size: small;">&nbsp;</span></span></span></h4> <h3> <span style="font-size: large;"><span style="font-family: Times,&quot;Times New Roman&quot;,serif;"><span style="font-weight: normal;">Today looking at&nbsp;<a href="http://googlegroups.com/" target="_blank">googlegroups.com</a> when uploading a file swf I could preview the file&nbsp;</span><span style="font-weight: normal;">on the server triggering bugs like XSS, Redirection, http request</span></span></span></h3> <h4> <span style="font-family: Arial, Helvetica, sans-serif; font-size: small; font-weight: normal;">&nbsp;</span></h4> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAfZ81ln0NW8EYttfKze8Pm64DIXNxqHYtEMaeD0toTJxqoylPtW5bqUthkcB3hzYt24boXKW0Jlfc2MT3FlIue-Gt4VDryEFhShrPEhSe6sNu_oB8MmXfEgWqQOXX6LyDlbtwlpbu8RDa/s1600/Screen+Shot+2013-06-30+at+10.35.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAfZ81ln0NW8EYttfKze8Pm64DIXNxqHYtEMaeD0toTJxqoylPtW5bqUthkcB3hzYt24boXKW0Jlfc2MT3FlIue-Gt4VDryEFhShrPEhSe6sNu_oB8MmXfEgWqQOXX6LyDlbtwlpbu8RDa/s400/Screen+Shot+2013-06-30+at+10.35.34+PM.png" width="400" /></a></div> <div> <span style="font-weight: normal;"><span style="font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></span></span></div> <div> <span style="font-weight: normal;"><span style="font-family: Arial, Helvetica, sans-serif; font-size: small;"><br /></span></span></div> <span style="font-family: arial, sans-serif; white-space: nowrap;">XSS proof:</span><br /> <a href="https://anon4v.googlegroups.com/attach/ad95b6883d02ee92/xss.swf?gda=--h2a0cAAAAf1aJvtdZvL0V0Vur0XewTV1qzvAInIaFKdkrbn96pkZ1koWdz85XW-WM6SHiL84IbQwFxJw55cVwemAxM-EWmeV4duv6pDMGhhhZdjQlNAw&amp;c=alert%28document.cookie%29&amp;a=eval&amp;view=1&amp;part=4" target="_blank">https://anon4v.googlegroups.<wbr></wbr>com/attach/ad95b6883d02ee92/<wbr></wbr>xss.swf?gda=--<wbr></wbr>h2a0cAAAAf1aJvtdZvL0V0Vur0XewT<wbr></wbr>V1qzvAInIaFKdkrbn96pkZ1koWdz85<wbr></wbr>XW-<wbr></wbr>WM6SHiL84IbQwFxJw55cVwemAxM-<wbr></wbr>EWmeV4duv6pDMGhhhZdjQlNAw&amp;c=<wbr></wbr>alert(document.cookie)&amp;a=eval&amp;<wbr></wbr>view=1&amp;part=4</a><br /> <span style="color: black; font-family: arial, sans-serif;"><span style="white-space: nowrap;"><br /></span></span> <span style="color: black; font-family: arial, sans-serif;"><span style="white-space: nowrap;">Redirection</span></span><span style="font-family: arial, sans-serif; white-space: nowrap;">&nbsp;proof:</span><br /> <a href="https://anon4v.googlegroups.com/attach/ad95b6883d02ee92/xss.swf?gda=--h2a0cAAAAf1aJvtdZvL0V0Vur0XewTV1qzvAInIaFKdkrbn96pkZ1koWdz85XW-WM6SHiL84IbQwFxJw55cVwemAxM-EWmeV4duv6pDMGhhhZdjQlNAw&amp;a=location&amp;c=http://www.paypal.com/&amp;view=1&amp;part=4"><span id="goog_1847348958"></span>https://anon4v.googlegroups.<wbr></wbr>com/attach/ad95b6883d02ee92/<wbr></wbr>xss.swf?gda=--<wbr></wbr>h2a0cAAAAf1aJvtdZvL0V0Vur0XewT<wbr></wbr>V1qzvAInIaFKdkrbn96pkZ1koWdz85<wbr></wbr>XW-<wbr></wbr>WM6SHiL84IbQwFxJw55cVwemAxM-<wbr></wbr>EWmeV4duv6pDMGhhhZdjQlNAw&amp;a=<wbr></wbr>location&amp;c=http://www.paypal.<wbr></wbr>com/&amp;view=1&amp;part=4</a><br /> <span id="goog_1847348959"></span><br /> http request to url&nbsp;<span style="font-family: arial, sans-serif; white-space: nowrap;">proof</span>:<br /> <a href="https://anon4v.googlegroups.com/attach/ad95b6883d02ee92/xss.swf?gda=--h2a0cAAAAf1aJvtdZvL0V0Vur0XewTV1qzvAInIaFKdkrbn96pkZ1koWdz85XW-WM6SHiL84IbQwFxJw55cVwemAxM-EWmeV4duv6pDMGhhhZdjQlNAw&amp;a=get&amp;c=http://www.webcrea.cl/&amp;view=1&amp;part=4">https://anon4v.googlegroups.<wbr></wbr>com/attach/ad95b6883d02ee92/<wbr></wbr>xss.swf?gda=--<wbr></wbr>h2a0cAAAAf1aJvtdZvL0V0Vur0XewT<wbr></wbr>V1qzvAInIaFKdkrbn96pkZ1koWdz85<wbr></wbr>XW-<wbr></wbr>WM6SHiL84IbQwFxJw55cVwemAxM-<wbr></wbr>EWmeV4duv6pDMGhhhZdjQlNAw&amp;a=<wbr></wbr>get&amp;c=http://www.webcrea.cl/&amp;<wbr></wbr>view=1&amp;part=4</a><br /> <br /> Xss.swf source:<br /> <a href="https://github.com/evilcos/xss.swf/blob/master/xss_source.txt">https://github.com/evilcos/<wbr></wbr>xss.swf/blob/master/xss_<wbr></wbr>source.txt</a><br /> <br /> <span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-weight: normal;"><br /></span></span> <span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-weight: normal;"> Google security team&nbsp;response:</span></span><br /> <br /> <div> <br /></div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwT-i8GWM7TI-23Ae14U_PtqJCEFuOCGy1j4qFMEvoswJ9Dq0ceGVd3DS_V5MQp-WyGxTh9C8FBl6AZsjmDAn40GfhJf5rFn4djE60RzTb-LNwgxYMFVDdFcgbe8796mY4S0gI9RVW962o/s1600/Screen+Shot+2013-07-07+at+2.51.17+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwT-i8GWM7TI-23Ae14U_PtqJCEFuOCGy1j4qFMEvoswJ9Dq0ceGVd3DS_V5MQp-WyGxTh9C8FBl6AZsjmDAn40GfhJf5rFn4djE60RzTb-LNwgxYMFVDdFcgbe8796mY4S0gI9RVW962o/s400/Screen+Shot+2013-07-07+at+2.51.17+AM.png" width="400" /></a></div> <div> <br /></div> <br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-50598862418091308292013-07-06T23:39:00.001-07:002013-07-06T23:40:32.689-07:00On the Wall of Fame of SproutSocial<h2> <span style="font-size: small;">Nice I'm on the Wall of Fame of SproutSocial.com</span></h2> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ-PBnq84EpFcsvoOKW5LNaZqJy2_-Y6lpnB1RaAOKDOEY-R0kbUcZ7l8y3405OByPFRg1ra9wNLhC6OEIey7v2p9ZNMJ37yKwvNzOggOi2yVQ2m_VFGqMpJIulgRuN6fXwWWwgcDKFZCJ/s1600/Screen+Shot+2013-07-07+at+2.32.38+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ-PBnq84EpFcsvoOKW5LNaZqJy2_-Y6lpnB1RaAOKDOEY-R0kbUcZ7l8y3405OByPFRg1ra9wNLhC6OEIey7v2p9ZNMJ37yKwvNzOggOi2yVQ2m_VFGqMpJIulgRuN6fXwWWwgcDKFZCJ/s400/Screen+Shot+2013-07-07+at+2.32.38+AM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC5reicBdpvzTUz1RfkOFKXXOFjFpdAWjV2cgo_ao9ONH9hXir4LXV7iN7AvyS9K2Q9RSnCDdlTw50fj0WWArs0w4jEnQJarwBB8eT9TW9nCg5E2m34JFc8Jc86I9jkuJVIFDrDMuXDB8J/s1600/Screen+Shot+2013-07-07+at+2.35.44+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC5reicBdpvzTUz1RfkOFKXXOFjFpdAWjV2cgo_ao9ONH9hXir4LXV7iN7AvyS9K2Q9RSnCDdlTw50fj0WWArs0w4jEnQJarwBB8eT9TW9nCg5E2m34JFc8Jc86I9jkuJVIFDrDMuXDB8J/s400/Screen+Shot+2013-07-07+at+2.35.44+AM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp5NkcV6iMHy-iR62KEvG5EMeSOiVzfC1LYCpWFJhJ1crB91k-MX080ekrw4qYax-2tcEHri4pgsLLu1zv1I_k_8HcLQyK9JWDixZ0izxF63jpjnvqKU4Kmw7mRnQpBnWzpVWSv8AjrKlx/s1600/Screen+Shot+2013-06-16+at+4.05.40+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp5NkcV6iMHy-iR62KEvG5EMeSOiVzfC1LYCpWFJhJ1crB91k-MX080ekrw4qYax-2tcEHri4pgsLLu1zv1I_k_8HcLQyK9JWDixZ0izxF63jpjnvqKU4Kmw7mRnQpBnWzpVWSv8AjrKlx/s400/Screen+Shot+2013-06-16+at+4.05.40+AM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> <a href="http://sproutsocial.com/responsible-disclosure-policy">http://sproutsocial.com/responsible-disclosure-policy</a></div> <br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-79744741552587475822013-07-06T23:24:00.002-07:002013-07-06T23:24:47.489-07:00Reward from Bugcrowd for Beta015 and Beta016!<h2> <span style="font-size: small;">&nbsp;Nice I got reward from Bugcrowd for Beta015 and Beta016!</span></h2> <div class="separator" style="clear: both; text-align: center;"> <br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5WldgjRSgjnsxBYgsu-7XYoPXGqGnFfpjvLIgKVjdUw__DvIcp5FvdTh5gpC-VUyy0JvJsjvNtAWUF8EolDNDuxq3tXKIvKIdeN6TvTLSxonbgxJZnU70iKjeQObweFCD-JfnUG3IG68Z/s1600/Screen+Shot+2013-07-07+at+2.12.00+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5WldgjRSgjnsxBYgsu-7XYoPXGqGnFfpjvLIgKVjdUw__DvIcp5FvdTh5gpC-VUyy0JvJsjvNtAWUF8EolDNDuxq3tXKIvKIdeN6TvTLSxonbgxJZnU70iKjeQObweFCD-JfnUG3IG68Z/s400/Screen+Shot+2013-07-07+at+2.12.00+AM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXGTbfLGQeIPHtT4-LsuK9PNE7WK1BFDDQxamVp1DrKq6YD7r914-ZRSfoBWBclst1OVb7cKofVVXayYfUhIkZUzbSloLJjrNY2QXay8LwD6jRb-MCC558FrAk1ziSHkZhr0sFgNJG9BXi/s1600/Screen+Shot+2013-07-07+at+2.18.31+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXGTbfLGQeIPHtT4-LsuK9PNE7WK1BFDDQxamVp1DrKq6YD7r914-ZRSfoBWBclst1OVb7cKofVVXayYfUhIkZUzbSloLJjrNY2QXay8LwD6jRb-MCC558FrAk1ziSHkZhr0sFgNJG9BXi/s400/Screen+Shot+2013-07-07+at+2.18.31+AM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> Thanks&nbsp;<a href="http://bugcrowd.com/">Bugcrowd</a></div> <br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-36340520528316177062013-07-06T22:46:00.001-07:002013-07-06T22:46:29.797-07:00Google Webchat | Cross Site Scripting Vulnerability<span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><b>Google Webchat | Cross Site Scripting Vulnerability</b></span></span><br /> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><br /></span></span> <span style="color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 14px; line-height: 18px; white-space: pre-wrap;">I find out that <a href="http://fiber.google.com/">fiber.google.com</a> was using a </span><span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;">third party app at </span></span><a href="fiber-chat.com:8443/googlechat/">fiber-chat.com:<wbr></wbr>8443/googlechat/</a>&nbsp; similar to&nbsp;<a href="http://bl0g.yehg.net/2012/04/fastpath-webchat-multiple-cross-site.html">FastPath Webchat&nbsp;that has multiple XSS</a><br /> <br />Turned out that the email parameter was&nbsp;<span style="background-color: white; color: #444444; font-family: arial, sans-serif; font-size: x-small; font-weight: bold; line-height: 16px;">vulnerable</span>&nbsp;to XSS<br /> <div> <br /></div> <div> test@gmail.com"&gt;&lt;svg/onload=alert(1)&gt;</div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOd09RmjRZqBJWIUxq3DjqqlqZ_Kda5kvZ4XifSIqk3Vyxcc657m6gNmjo-Q6TJbADWeO1KXfqCHMZ5AQZPj3X0_38eg8IM3mlxpHEdO_dXxHfHtpYh3HW7LVON8gRGSVMcfRJPZLIUiw9/s1600/googlereport1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOd09RmjRZqBJWIUxq3DjqqlqZ_Kda5kvZ4XifSIqk3Vyxcc657m6gNmjo-Q6TJbADWeO1KXfqCHMZ5AQZPj3X0_38eg8IM3mlxpHEdO_dXxHfHtpYh3HW7LVON8gRGSVMcfRJPZLIUiw9/s400/googlereport1.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> When Login off the chat I got a positive XSS response.</div> <div> <br /></div> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><br /></span></span> <div class="separator" style="clear: both; text-align: center;"> <a href="https://pbs.twimg.com/media/BNOIg2cCMAAi4rr.png:large" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="https://pbs.twimg.com/media/BNOIg2cCMAAi4rr.png:large" width="400" /></a></div> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><br /></span></span> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;">I Report this to Google Security Team and the response was this:</span></span><br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHx-O25FnG3xXoA7t67OSTOO8XxZYL9x2KwvbErmnp_Ei3RfVy6oT8i9MdA2i4Tcns4w48ZGm9VMQ3RliAdTg02iVXYuZcu1LPx9VTjt11VTNPKW3Jv5wQIUxIAnTO3ECSGj5mY_Cgirqz/s1600/Screen+Shot+2013-07-07+at+1.41.37+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHx-O25FnG3xXoA7t67OSTOO8XxZYL9x2KwvbErmnp_Ei3RfVy6oT8i9MdA2i4Tcns4w48ZGm9VMQ3RliAdTg02iVXYuZcu1LPx9VTjt11VTNPKW3Jv5wQIUxIAnTO3ECSGj5mY_Cgirqz/s400/Screen+Shot+2013-07-07+at+1.41.37+AM.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><br /></span></span> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><b><br /></b></span></span> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><b>Report: Tue, Jun 18, 2013 1:34PM&nbsp;</b></span></span><br /> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><b>Fix: Wed, Jun 19, 2013 9:00AM</b></span></span><br /> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><b>No Reward for this Bug</b></span></span><br /> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="font-size: 14px; line-height: 18px; white-space: pre-wrap;"><br /></span></span>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-1893088872138294400.post-77395441267687951452013-07-06T22:08:00.003-07:002013-07-06T22:53:42.723-07:00XSS at us7.admin.mailchimp.com and help.mailchimp.com<span style="background-color: white; color: #333333; font-family: Helvetica Neue, Arial, sans-serif; line-height: 18px; white-space: pre-wrap;"><b>XSS at us7.admin.mailchimp.com and help.mailchimp.com</b></span><br /> <span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;"><br /></span> <span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;">I found XSS at </span><span style="color: #0099b9; font-family: Helvetica Neue, Arial, sans-serif;"><span style="line-height: 0px; white-space: pre-wrap;">us7.admin.mailchimp.com</span></span><span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;">&nbsp;</span><br /> <b><span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;"><br /></span></b> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJ8z_Ds90u1ow4klYzV0sFhBziFaT9ID1apsxKgCwWtTiCGw7x3b9R2kzS7Gj0SAOUTHNX2tv23kOjqBAz4MYrs80uWNkGPfOXRqhkUuWKSyE-tNxpkvfeqzqzQQFfWSLY4ftbJgpBLWB/s1600/Screen+Shot+2013-06-16+at+2.41.08+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJ8z_Ds90u1ow4klYzV0sFhBziFaT9ID1apsxKgCwWtTiCGw7x3b9R2kzS7Gj0SAOUTHNX2tv23kOjqBAz4MYrs80uWNkGPfOXRqhkUuWKSyE-tNxpkvfeqzqzQQFfWSLY4ftbJgpBLWB/s400/Screen+Shot+2013-06-16+at+2.41.08+PM.png" width="400" /></a></div> <b><span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;"><br /></span></b> <span style="color: #333333; font-family: Helvetica Neue, Arial, sans-serif;"><span style="line-height: 18px; white-space: pre-wrap;">And an other Flash XSS at help.mailchimp.com</span></span><br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://pbs.twimg.com/media/BNQNwLCCAAAGjAe.png:large" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://pbs.twimg.com/media/BNQNwLCCAAAGjAe.png:large" width="400" /></a></div> <span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; font-size: 14px; line-height: 18px; white-space: pre-wrap;"><b><br /></b></span> <b><span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;">Report:Mon, Jun 17, 2013 at 12:46 AM</span><span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;"> </span></b><br /> <span style="background-color: white; color: #333333; font-family: 'Helvetica Neue', Arial, sans-serif; line-height: 18px; white-space: pre-wrap;"><b>Fix:Tue, Jun 18, 2013 at 9:00 AM</b></span>Unknownnoreply@blogger.com