Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]

gaottantacinque in #hive • 6 months ago (edited)

_{_src}

I was trying to understand better how Hive works at a technical level, so I was going through some documentation and exploring the content of blocks. I came across [a transaction](https://hiveblockexplorer.com/tx/8437cffaa71b2fcf292584f19ea407c6dfb40b24] that displayed the user logo at the end of the post text.

That immediately rang a bell. That image should not be there.. only text should be in that table cell!

Therefore I inspected the page and noticed that indeed some text was being parsed by the browser, meaning that it was not correctly sanitized on the server side.

I checked how the post text looked like in the hive block and I crafted a similar comment with some hidden code in it.

Result: I checked my new comment on hiveblockexplorer.com and the site executed my code!!

XSS ✅

{{ for more details on what XSS is see: https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks }}

Proof:

If you want to check yourself, I stored my harmless XSS here_{PS. now fixed by @penguinpablo.}

If you click on that link:

You will see the alert in the screenshot above;
After 10s you will be redirected to this post of mine.

This happens because the website parses my specially crafted TEXT as code and executed it! That should never happen.

The code stored on that page could obviously be used for evil things like redirecting users to a phishing page!

A user could fall victim of it because a malicious attacker could keep spamming these type of messages into blocks OR, even worse, they could send another user a link crafted in this way as a proof of previous payment, in order to try to steal their private keys.

Guys that maintain hiveblockexplorer.com (@penguinpablo), please fix this ASAP!
Contact me on Discord if you need more details.
#xss #abuse #security #disclosure #shipit #fixasap

UPDATE 1: the same vulnerability is also on steemblockexplorer.com .. but maybe we can leave it like that there. Freaking Justin loves thieves after all..

UPDATE 2: @penguinpablo today fixed the issue: https://hive.blog/hive/@penguinpablo/qfk9ge
Good stuff!!

Domain now removed from @keys-defender blacklist.
!remove hiveblockexplorer.com

_{Previous security disclosures of mine:}

_{Malicious ads injecting code on steemit for all iOS users: https://hive.blog/steemit/@gaottantacinque/steemit-got-hacked}
_{Reverse tabnabbing and clickjacking: https://hive.blog/security/@gaottantacinque/steemit-chat-is-unsafe}

#hivedev #security #phishing #hacking #palnet #neoxian #xss #abuse

6 months ago in #hive by gaottantacinque

0.00 PAL

Sort:

Trending

[-]

howo 6 months ago

Well done ! But please in the future contact the maintainer so he can patch the security issue before releasing it to the public. You are endangering the ecosystem by doing it that way.

0.00 PAL

2 votes

[-]

keys-defender 6 months ago (edited)

True, but..

I did not share the exploit;
I have been trying to reach him on multiple channels already;
There's no session to be compromised on that site (as I mentioned in the post, only the redirection bit is dangerous).

👍

0.00 PAL

2 votes

[-]

gaottantacinque 6 months ago (edited)

PS. @howo Today I launched this, better?? 😏😏
[auto-replies to posts and comments with known compromised domains or phishing links]
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply

cc: @therealwolf @saboin

0.00 PAL

2 votes

[-]

howo 6 months ago

Pretty cool tool !

0.00 PAL

[-]

gaottantacinque 6 months ago

@howo FYI - the issue is now resolved 👍
https://hive.blog/hive/@penguinpablo/qfk9ge

0.00 PAL

[-]

gtg 6 months ago

UPDATE: the same vulnerability is also on steemblockexplorer(...)

They don't need XSS to steal from users. People who use ~~Steem~~ these days should assume that their funds can be stolen at any moment.

0.00 PAL

8 votes

[-]

keys-defender 6 months ago

Very true! 🙂😌

0.00 PAL

2 votes

[-]

louis88 6 months ago

Found also a new XSS not yet fixxed on the same site. Messaged u on Discord.

0.00 PAL

3 votes

[-]

gtg 6 months ago

I'm not using a discord. Come to the https://openhive.chat
You can find me (@gandalf) on #general channel or #witness or #help.

0.00 PAL

1 vote

[-]

gaottantacinque 6 months ago

@gtg @louis88 the issue is now resolved 👍
https://hive.blog/hive/@penguinpablo/qfk9ge

0.00 PAL

[-]

louis88 6 months ago

Nope it's not resolved yet - just checked. @penguinpablo is not reachable on any Chat-Service so it have sent him a private memo in his wallet with Informations to the XSS i found.

0.00 PAL

3 votes

[-]

gaottantacinque 6 months ago

@louis88
Make sure you clear your cache.
I don’t see your memo, if another field was not fixed you could send it to him encrypted with his public memo key so that only he can decrypt it with his private key.

0.00 PAL

[-]

louis88 6 months ago

Sure. i cleared the whole Site data in the Developer Console and opend the page where i stored the Script. And yes, i got the alert.

I have sent penguinpablo an encrypted memo on hive because he is the project owner. sure ;)

0.00 PAL

4 votes

[-]

gaottantacinque 6 months ago

Ah, just saw it. Sent 9 hours ago 👍

https://hiveblocks.com/tx/69410f0770d8e4db4cac96a8c08d6f60eb24cd97

0.00 PAL

1 vote

Show 1 more reply

[-]

gaottantacinque 6 months ago (edited)

@gtg FYI: I launched this too today and obviosly it is NOT running on Steem 😏😏
[auto-replies to posts and comments with known phishing links]
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply

0.00 PAL

[-]

penguinpablo 6 months ago

Thank you for pointing this out.

It has been fixed. The URL below is now safe. Make sure it is not loading from your browser cache (even though it is harmless anyway).

https://www.hiveblockexplorer.com/tx/95c5b404d935cf1beba7d90bade6948f116e199e

0.00 PAL

4 votes

[-]

louis88 6 months ago

please check your memo. i found another XSS which is also dangerous like the other.

0.00 PAL

4 votes

[-]

keys-defender 6 months ago

Nice! Thanks for resolving this @penguinpablo.

Will remove hiveblockexplorer.com from my blacklist (it was temporary added until the issue was resolved).

Take care

0.00 PAL

2 votes

[-]

discovery-it 6 months ago

💪

0.00 PAL

2 votes

[-]

louis88 6 months ago

@penguinpablo Please contact me on https://openhive.chat where you can just simple Login with your Private Posting Key. I found another XSS and would like to Discuss this with you.

Thanks
@louis88

0.00 PAL

3 votes

[-]

gaottantacinque 6 months ago

Yeh, multiple fields are affected. The server side sanitation in use in not complete.

0.00 PAL

[-]

gaottantacinque 6 months ago

Any update @penguinpablo please?

0.00 PAL

[-]

upvotebank 6 months ago

Hi, I can see that you are doing well here on Hive. You should try our Upvote service, we have just opened up for registration. Take a look at our lates post. We need more members. 😉