Universe.com Stored XSS VulnerabilityApril 17, 2017 English Disclosure Security XSS
After registering for the purchase of two tickets, I was redirected to my online Universe.com profile. I thought, heck, why not. Let’s add a bit more info to that empty profile.
The developer (and perhaps pentester) inside of me got triggered for some reason, wondering if the contents of my description field would be stripped correctly of HTML tags by the server and client before being stored and publicly showed on my profile.
And to my surprise, after sending the description to the server by pressing the
Update Profile button, I was greeted by not just any alert message. Apparently the XSS injection also broke the front-end client..
I immediately sent an email to the Technical Support of Universe.com, minutes after my discovery.
So I started to evaluate (pun intended) the situation while waiting for a response.
One might say, sure okay, this is bad. So far only visitors looking at my profile page are affected. But it’s not that, bad right? Well, think again. A developer with malicious intentions could inject his or her own script. For example, he or she could start stealing visitor’s session cookies. Or redirect to a phishing site. Remember, the attacker has full access to the client, and can act as the client on this page.
I can’t imagine what the consequences would have been if an attacker would have found an XSS vulnerability in perhaps the billing area of Universe.com (we are, after all, dealing with a platform focussed on money and credit cards).
After one month, while not having received a single response from Universe.com, the issue seemingly got fixed. HTML tags are now properly removed from descriptions sent to the server. Although a response would have been nice.
You’re welcome, Universe.com :)
|Dec 19 2016||Discovery & Notified Universe.com|
|Dec 20 2016||“This [issue] has been passed along to our development team”|
|Feb 2017||Issue got fixed (no follow-up email received)|
|Apr 09 2017||7 days publishment notice sent|
|Apr 17 2017||Post published|