I discovered a type 1 XSS issue in the StumbleUpon website. Input in the POST form at http://www.stumbleupon.com/delete_account.php was not properly sanitized. I’ve create an example that executed script in the www.stumbleupon.com domain. It shows a popup containing your current username (if you are logged in), the domain and the cookie for the domain. The repro can be found here:
http://skypher.com/SkyLined/Repro/StumbleUpon/XSS%20in%20delete_account.php.html. The StumbleUpon people were very quick to respond and fix the issue. You will notice that the repro no longer works.
XSS bugs in social websites like StumbleUpon are especially dangerous as such websites may allow an attacker to create an XSS worm. An XSS worm is a piece of JavaScript and HTML which uses XSS to post messages on behalf of any user visiting a page that contains the worm. These messages will put the worm code on other pages as well, causing those pages to also start spreading it whenever a victim visits the page. This causes it to spread faster and fast as more and more pages are infected.
Leave a Comment