Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]

in #hive6 months ago (edited)


src


I was trying to understand better how Hive works at a technical level, so I was going through some documentation and exploring the content of blocks. I came across [a transaction](https://hiveblockexplorer.com/tx/8437cffaa71b2fcf292584f19ea407c6dfb40b24] that displayed the user logo at the end of the post text.

That immediately rang a bell. That image should not be there.. only text should be in that table cell!

Therefore I inspected the page and noticed that indeed some text was being parsed by the browser, meaning that it was not correctly sanitized on the server side.

I checked how the post text looked like in the hive block and I crafted a similar comment with some hidden code in it.

Result: I checked my new comment on hiveblockexplorer.com and the site executed my code!!

  • XSS ✅

{{ for more details on what XSS is see: https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks }}

Proof:


If you want to check yourself, I stored my harmless XSS herePS. now fixed by @penguinpablo.

If you click on that link:

  • You will see the alert in the screenshot above;

  • After 10s you will be redirected to this post of mine.


This happens because the website parses my specially crafted TEXT as code and executed it! That should never happen.


The code stored on that page could obviously be used for evil things like redirecting users to a phishing page!

A user could fall victim of it because a malicious attacker could keep spamming these type of messages into blocks OR, even worse, they could send another user a link crafted in this way as a proof of previous payment, in order to try to steal their private keys.

Guys that maintain hiveblockexplorer.com (@penguinpablo), please fix this ASAP!
Contact me on Discord if you need more details.
#xss #abuse #security #disclosure #shipit #fixasap


UPDATE 1: the same vulnerability is also on steemblockexplorer.com .. but maybe we can leave it like that there. Freaking Justin loves thieves after all..


UPDATE 2: @penguinpablo today fixed the issue: https://hive.blog/hive/@penguinpablo/qfk9ge
Good stuff!!

Domain now removed from @keys-defender blacklist.
!remove hiveblockexplorer.com



Previous security disclosures of mine:

Sort:  

Well done ! But please in the future contact the maintainer so he can patch the security issue before releasing it to the public. You are endangering the ecosystem by doing it that way.

True, but..

  • I did not share the exploit;
  • I have been trying to reach him on multiple channels already;
  • There's no session to be compromised on that site (as I mentioned in the post, only the redirection bit is dangerous).

👍

PS. @howo Today I launched this, better?? 😏😏
[auto-replies to posts and comments with known compromised domains or phishing links]
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply

cc: @therealwolf @saboin

Pretty cool tool !

@howo FYI - the issue is now resolved 👍
https://hive.blog/hive/@penguinpablo/qfk9ge

UPDATE: the same vulnerability is also on steemblockexplorer(...)

They don't need XSS to steal from users. People who use Steem these days should assume that their funds can be stolen at any moment.

Very true! 🙂😌

Found also a new XSS not yet fixxed on the same site. Messaged u on Discord.

I'm not using a discord. Come to the https://openhive.chat
You can find me (@gandalf) on #general channel or #witness or #help.

Nope it's not resolved yet - just checked. @penguinpablo is not reachable on any Chat-Service so it have sent him a private memo in his wallet with Informations to the XSS i found.

@louis88
Make sure you clear your cache.
I don’t see your memo, if another field was not fixed you could send it to him encrypted with his public memo key so that only he can decrypt it with his private key.

Sure. i cleared the whole Site data in the Developer Console and opend the page where i stored the Script. And yes, i got the alert.

I have sent penguinpablo an encrypted memo on hive because he is the project owner. sure ;)

@gtg FYI: I launched this too today and obviosly it is NOT running on Steem 😏😏
[auto-replies to posts and comments with known phishing links]
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply

Thank you for pointing this out.

It has been fixed. The URL below is now safe. Make sure it is not loading from your browser cache (even though it is harmless anyway).

https://www.hiveblockexplorer.com/tx/95c5b404d935cf1beba7d90bade6948f116e199e

please check your memo. i found another XSS which is also dangerous like the other.

Nice! Thanks for resolving this @penguinpablo.

Will remove hiveblockexplorer.com from my blacklist (it was temporary added until the issue was resolved).

Take care

💪

@penguinpablo Please contact me on https://openhive.chat where you can just simple Login with your Private Posting Key. I found another XSS and would like to Discuss this with you.

Thanks
@louis88

Yeh, multiple fields are affected. The server side sanitation in use in not complete.

Any update @penguinpablo please?

Hi, I can see that you are doing well here on Hive. You should try our Upvote service, we have just opened up for registration. Take a look at our lates post. We need more members. 😉

Do not click on any link on this post/comment

❗ ❗ ❗ ❗ ❗

It contains a link that is currently on my list as PHISHING   ❗
-> "https://hiveblockexplorer.com/tx/*"


More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
@keys-defender

Do not click on any link on this post/comment

❗ ❗ ❗ ❗ ❗

It contains a link that is currently on my list as PHISHING   ❗
-> "https://hiveblockexplorer.com/tx/*"


More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
@keys-defender

Do not click on any link on this post/comment

❗ ❗ ❗ ❗ ❗

It contains a link that is currently on my list as PHISHING   ❗
-> "https://hiveblockexplorer.com/tx/*"


More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
@keys-defender

Do not click on any link on this post/comment

❗ ❗ ❗ ❗ ❗

It contains a link that is currently on my list as PHISHING   ❗
-> "https://hiveblockexplorer.com/tx/*"


More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
@keys-defender

Do not click on any link on this post/comment

❗ ❗ ❗ ❗ ❗

It contains a link that is currently on my list as PHISHING   ❗
-> "https://hiveblockexplorer.com/tx/*"


More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
@keys-defender

Do not click on any link on this post/comment

❗ ❗ ❗ ❗ ❗

It contains a link that is currently on my list as PHISHING   ❗
-> "https://hiveblockexplorer.com/tx/*"


More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
@keys-defender

Do not click on any link on this post/comment

❗ ❗ ❗ ❗ ❗

It contains a link that is currently on my list as PHISHING   ❗
-> "https://hiveblockexplorer.com/tx/*"


More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
@keys-defender

image.png

Test passed..

🙂👍