StumbleUpon Fixes The XSS Vulnerability
About a week before i reported an XSS vulnerability inside stumbleupon, I promised to disclose the vulnerability details once it gets fixed, Recently i received an email from stumbleUpon. They told that they have fixed the XSS vulnerability and they would like me to test it again if it's still vulnerable to the Cross site Scritping (XSS) attack. I tested the parameter and did not find any potential XSS inside it. Here is the email i received from stumbleUpon:
Vulnerability parameter:
http://stumbleupon.com/hostedbadge.php?s=1&r=XSS
The above parameter was vulnerable to a reflected cross site scripting attack, however now it's fixed and i don't see the issue any more.
Way back in 2009 in Stumbleupon's toolbar you could put XSS on any page that you shared with others, no idea if it was fixed as I never reported it but I imagine that would be the case.
ReplyDelete