Critical vulnerability XSS (Cross Site Scripting) Steemnova (fixed)
Expected behavior
When I play the browser game SteemNova, I expect that I can play a game that is free of dangerous security vulnerabilities. In particular, I expect that there is no vulnerability that can endanger other players in the game or introduce malware on a computer.
Actual behavior
Unfortunately I discovered a security hole that can not only affect the game but can also be dangerous for other players of the game. The vulnerability found is an XSS (Cross-Site Scripting) vulnerability and can be set in the area of an alliance administration. Since there is an editor (TinyMCE) here that allows this vulnerability to be infiltrated.
A big thank you goes to the developer team and the project owner who took care of this vulnerability at short notice and have already implemented it in the live system. This went so far without big problems about which I am very happy.
How to reproduce
The problem has now been resolved. It was previously possible to reload malware with Javascript if you used this command among others. (demonstration)
[url=javascript:alert(String.fromCharCode(88,83,83))]http://google.com/[/url]
- Browser: Chrome Version 65.0.3325.146 (Offizieller Build) (64-Bit)
- Operating system: Mac os x
Recording Of The Bug
Demonstration.
Thanks to the project leaders and developers who solved the problem very quickly!
@louis88
Posted on Utopian.io - Rewarding Open Source Contributors
Thank you for the contribution. It has been approved.
Thank you for the professional way you've dealt with this issue. I can't make sure the bug was real, but I'm more than happy to take your's and @mys's word for it.
You can contact us on Discord.
[utopian-moderator]
Hey @jestemkioskiem, I just gave you a tip for your hard work on moderation. Upvote this comment to support the utopian moderators and increase your future rewards!
Thank You for finding and fixing this security flaw! Both @louis88 and @MWFIAE who cooperated to make a patch. As You said the critical update has been implement asap so that nobody got hurt. Thanks!
Thank you for treating the whole thing with the necessary seriousness!
And for the fact that we were able to fix it so quickly and frictionless :)
Great Work @louis88 !
Hey @louis88 I am @utopian-io. I have just upvoted you!
Achievements
Suggestions
Get Noticed!
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x