src
DISCLOSURE:
@drakos I found an XSS in one of the sites you maintain. Sending you the details in a private message!
UPDATE:
After the released fix, code execution is now prevented but the site is still not safu.. 😅😅😅😅😅😅😅😅😅😅
New exploit:
Post-mortem summary
This week @runridefly, an account with $3,324.79 in their wallet, accidentally leaked their private ACTIVE key:
@keys-defender/successfullyprotected-1599725656390
As usual, my bot @keys-defender automatically warned them via automated reply and transfer memo and put their funds into their savings.
This is the culprit post:
https://hiveblocks.com/hive-193552/@runridefly/actifit-runridefly-20200910t063328127z
After noticing the new leak, I used hiveblockexplorer.com to see the raw content of the post in order to understand where they leaked their key (usually it's pasted in place of a link or image source).
I could not find it so I used @drako's wonderful tool scribe.hivekings.com that allows you to see past edits.
There I noticed that some images were rendered by the browser where they were not supposed to be. That screamed XSS!
I did a couple tests:
and verified that it was indeed the case.
The site is now safu. I will keep you posted on other findings 😎👍 😎👍😎👍😎👍😎👍
Previous security disclosures of mine (from the most recent):