XSS found in @drako's scribe.hivekings.com [solved]
src
DISCLOSURE:
@drakos I found an XSS in one of the sites you maintain. Sending you the details in a private message!
UPDATE:
After the released fix, code execution is now prevented but the site is still not safu.. 😅😅😅😅😅😅😅😅😅😅
New exploit:
Post-mortem summary
This week @runridefly, an account with $3,324.79 in their wallet, accidentally leaked their private ACTIVE key:
https://hive.blog/steem/@keys-defender/successfullyprotected-1599725656390
As usual, my bot @keys-defender automatically warned them via automated reply and transfer memo and put their funds into their savings.
This is the culprit post:
https://hiveblocks.com/hive-193552/@runridefly/actifit-runridefly-20200910t063328127z
After noticing the new leak, I used hiveblockexplorer.com to see the raw content of the post in order to understand where they leaked their key (usually it's pasted in place of a link or image source).
I could not find it so I used @drako's wonderful tool scribe.hivekings.com that allows you to see past edits.
There I noticed that some images were rendered by the browser where they were not supposed to be. That screamed XSS!
I did a couple tests:
and verified that it was indeed the case.
The site is now safu. I will keep you posted on other findings 😎👍 😎👍😎👍😎👍😎👍
Previous security disclosures of mine (from the most recent):
I was going to comment something else, but then I read the word "drakos". he was a shithead to me downvoting many of my posts out of spite.
Because you were a shithead yourself who started it in the first place.
Fixed. Thanks for the notice.
@drakos nope, still not safu! :)
Still vulnerable: