XSS vulnerability in one of the Hive frontends
choose for this article. This..
OR this one.. 🙂
Pics taken from "Humorous programming books by @ThePracticalDev"
I was just browsing around Hive and decided to navigate to the Dapps section to see if anything cool came out.
I attended HiveFest on Friday (my pics here!) and heard about a frontend that got me intrigued. I decided to check it out and noticed that the styling was off in some places.
That got me thinking that if the devs rushed things out from a design perspective, they probably also didn't give too much thought to Security.
I tried a few tricks in my hats and managed to store some (harmless) code in the Hive blockchain that now gets executed by all users visiting some specific content using that Frontend.
A couple of months back I did a tech talk in my company about some security vulnerabilities I found in 3 different internal systems that my employer uses to manage employees' resumes, store performance reviews, and train their employees.
Here is one of the slides I used with a summary of how dangerous an XSS vulnerability can be:
The vulnerability has now been reported to the site maintainer. More details will follow once it's fixed.
I'll express my opinion on the effectiveness of the fix and the team response time.
Some more funny pics because these (fake) books are too funny..
28/12/2020: it looks like @louis88 reported another XSS in the same website weeks ago.
The maintainer at the moment does not have time to fix the issue:
"Just overwhelmed for almost 9 months with COVID stuff so that I have no time for anything else..."
Community members may be able to work on it since the repository is open source. Stay tuned for updates.