A JavaScript library used by HackerOne contained a prototype pollution vulnerability that could have allowed hackers to stage phishing attacks on unsuspecting users.
A JavaScript library used by HackerOne contained a prototype pollution vulnerability that could have allowed hackers to stage phishing attacks on unsuspecting users.
Prototype pollution is a dangerous vulnerability found in prototype-based programming languages such as JavaScript, which allows attackers to manipulate the behavior of an application by modifying its code at runtime.
Prototype pollution vulnerabilities are usually exploited through malicious user input and can lead to a host of attacks, including denial of service or even remote code execution (RCE).
First reported on the HackerOne bug bounty platform by security researcher William Bowling, the new prototype pollution vulnerability was found in one of the JavaScript files used to host content from Wistia, a video hosting and marketing platform.
The file in question parsed the webpage URL without sanitizing it, which could allow a hacker to inject malicious HTML and JavaScript code in the query string. Bowling’s findings show the bug could be exploited to run phishing attacks against HackerOne users.
He found the bug while looking for cross-site scripting (XSS) vulnerabilities on the HackerOne.com domain. The company’s main bug bounty platform is separately managed.
“I started searching for anywhere that user-controlled data was being used, but since it’s just their marketing site it didn’t leave too many options,” Bowling told The Daily Swig.
“Things like the document location or message event listeners are normally good candidates.”
While perusing the site’s source with the Chrome DevTools, Bowling came across the Wistia JavaScript code that was extracting the host and query parameters, among other findings. Since query parameters are provided by the user, an attacker could use it to embed custom JavaScript and HTML code.
A crafty hacker could have exploited the bug to stage an XSS attack. “It allowed an attacker to specify the innerHTML for any DOM elements that were created via the Wistia script,” Bowling explained.
“The HackerOne marketing site doesn’t have any user data or cookies to steal, so the only impact there would have been something like a phishing attack,” Bowling said, adding that since the bug was in the Wista embed code, any site that used the feature would have been vulnerable as well.
No comments :
Post a Comment