XSS found in @drako's scribe.hivekings.com [solved]


src
image.png


DISCLOSURE:
image.png

@drakos I found an XSS in one of the sites you maintain. Sending you the details in a private message!



UPDATE:

After the released fix, code execution is now prevented but the site is still not safu.. 😅😅😅😅😅😅😅😅😅😅
New exploit:

image.png



Post-mortem summary

This week @runridefly, an account with $3,324.79 in their wallet, accidentally leaked their private ACTIVE key:
@keys-defender/successfullyprotected-1599725656390

As usual, my bot @keys-defender automatically warned them via automated reply and transfer memo and put their funds into their savings.

This is the culprit post:
https://hiveblocks.com/hive-193552/@runridefly/actifit-runridefly-20200910t063328127z

After noticing the new leak, I used hiveblockexplorer.com to see the raw content of the post in order to understand where they leaked their key (usually it's pasted in place of a link or image source).

I could not find it so I used @drako's wonderful tool scribe.hivekings.com that allows you to see past edits.

https://scribe.hivekings.com/?url=https%3A%2F%2Fhive.blog%2Fhive-193552%2F%40runridefly%2Factifit-runridefly-20200910t063328127z

There I noticed that some images were rendered by the browser where they were not supposed to be. That screamed XSS!

I did a couple tests:

and verified that it was indeed the case.

The site is now safu. I will keep you posted on other findings 😎👍 😎👍😎👍😎👍😎👍



Previous security disclosures of mine (from the most recent):

H2
H3
H4
3 columns
2 columns
1 column
5 Comments
Ecency