Howdy!
Few years ago I found a simple XSS vulnerability which affects a windows application of a company called Peerio. The application was similar to Slack nowadays which allows you to chat with your colleagues. The XSS was found in the chat input which if you will input an XSS payload on the chat box the payload will automatically trigger since they are using a web based application on it.
The vulnerability was reported directly to their security team and they added a quick fixed on it.
--Proof of Concept--
--Report Timeline--
Reported: Nov 21, 2017, 7:41 PM
First Response: Nov 23, 2017, 6:02 AM
Hi Evan,Fixed: Dec 2, 2017, 1:36 AM
thanks a lot, and quick catch — looks like this was introduced exactly one week ago.
What’s the best way to pay you? I’ll get the bureaucracy moving…
We should have a fix out tomorrow.
Hi,Bounty: 1000 Canadian Dollar
We pushed a direct fix in this release: https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.98.7
And then added strict CSP in the following release for a more global solution: https://github.com/PeerioTechnologies/peerio-desktop/releases/tag/v2.103.0 (you can check out pull requests #144 and #145 for details)
Thanks!
I hope you enjoy this write up! stay tune for more contents like this in the future.
Have a great day,
Evan
“Life isn’t about finding yourself. Life is about creating yourself.”
– George Bernard Shaw
No comments:
Post a Comment