Friday, April 24, 2020

XSS in Peerio 2 Windows Application (Write Up)



Howdy!


Few years ago I found a simple XSS vulnerability which affects a windows application of a company called Peerio. The application was similar to Slack nowadays which allows you to chat with your colleagues. The XSS was found in the chat input which if you will input an XSS payload on the chat box the payload will automatically trigger since they are using a web based application on it.

The vulnerability was reported directly to their security team and they added a quick fixed on it.

--Proof of Concept--



--Report Timeline--

Reported: Nov 21, 2017, 7:41 PM
First Response: Nov 23, 2017, 6:02 AM

Hi Evan,
thanks a lot, and quick catch — looks like this was introduced exactly one week ago.
What’s the best way to pay you? I’ll get the bureaucracy moving…
We should have a fix out tomorrow. 
 Fixed: Dec 2, 2017, 1:36 AM

Hi,
We pushed a direct fix in this release: https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.98.7
And then added strict CSP in the following release for a more global solution: https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.103.0 (you can check out pull requests #144 and #145 for details)
Thanks! 
Bounty: 1000 Canadian Dollar



I hope you enjoy this write up! stay tune for more contents like this in the future.

Have a great day,

Evan

“Life isn’t about finding yourself. Life is about creating yourself.”
– George Bernard Shaw

No comments:

Post a comment