XSS found in @drako's scribe.hivekings.com [solved]

in #hive4 years ago (edited)



@drakos I found an XSS in one of the sites you maintain. Sending you the details in a private message!


After the released fix, code execution is now prevented but the site is still not safu.. 😅😅😅😅😅😅😅😅😅😅
New exploit:


Post-mortem summary

This week @runridefly, an account with $3,324.79 in their wallet, accidentally leaked their private ACTIVE key:

As usual, my bot @keys-defender automatically warned them via automated reply and transfer memo and put their funds into their savings.

This is the culprit post:

After noticing the new leak, I used hiveblockexplorer.com to see the raw content of the post in order to understand where they leaked their key (usually it's pasted in place of a link or image source).

I could not find it so I used @drako's wonderful tool scribe.hivekings.com that allows you to see past edits.


There I noticed that some images were rendered by the browser where they were not supposed to be. That screamed XSS!

I did a couple tests:

and verified that it was indeed the case.

The site is now safu. I will keep you posted on other findings 😎👍 😎👍😎👍😎👍😎👍

Previous security disclosures of mine (from the most recent):


Fixed. Thanks for the notice.

Still vulnerable:

@drakos nope, still not safu! :)


I was going to comment something else, but then I read the word "drakos". he was a shithead to me downvoting many of my posts out of spite.

Because you were a shithead yourself who started it in the first place.