Thursday, February 06, 2020

Popping Alerts in Mixmax Chrome Extension (Write Up)


Back in 2017, I reported this simple XSS vulnerability that affects Mixmax Chrome Extension. The vulnerability was due to a feature called insert link/URL. This vulnerability didn't trigger on other user since the payload was filtered after it was push to the victim so ends up into self-XSS but Mixmax issued a fix and rewarded me a Mixmax swag that until now didn't arrive. (I don't know why). This vulnerability was reported to Mixmax via Hackerone.

--Proof of Concept--

PS: Don't mind my inbox, nothing sensitive in there.

--Report Timeline--

Report Title: XSS in Mixmax Chrome Extension
Reported: 2017-10-31 13:00:48 +0000
Triaged: 2018-01-08 19:45:25 +0000
We'll fix, thanks!
Fixed: 2018-02-10 03:50:44 +0000
Reward: Mixmax Swag

I hope you enjoy this write up! stay tune for more contents like this in the future.

Have a great day,

“To be yourself in a world that is constantly trying to make you something else is the greatest accomplishment.”
― Ralph Waldo Emerson

No comments:

Post a Comment