Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED] by gaottantacinque

View this thread on: hive.blog | peakd.com | ecency.com

hive · @gaottantacinque · Sep 12 '20 (edited)

$17.01

Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]

<center>
<sub><sub><a href="https://pixabay.com/illustrations/binary-black-cyber-data-digits-2170633/">src</a></sub></sub>
https://images.hive.blog/DQmW8mXJtXpWsAWnUTaCfu161Ucxd1o7vW89HqZdTji4yLb/image.png
</center>

<br>

I was trying to understand better how Hive works at a technical level, so I was going through some documentation and exploring the content of blocks. I came across [a transaction](https://hiveblockexplorer.com/tx/8437cffaa71b2fcf292584f19ea407c6dfb40b24] that displayed the user logo at the end of the post text.

That immediately rang a bell. That image should not be there.. only text should be in that table cell!

Therefore I inspected the page and noticed that indeed some text was being parsed by the browser, meaning that it was not correctly sanitized on the server side.

I checked how the post text looked like in the hive block and I crafted a similar comment with some hidden code in it.

<h4>Result: I checked my new comment on hiveblockexplorer.com and the site executed my code!!</h4>

- XSS  ✅

{{ for more details on what XSS is see: https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks }}

<center><h4>Proof:</h4></center>

<center> https://images.hive.blog/DQmRv2YobHvSKVkCtKnRK1D5WUP2LTYeRYdnfpVDjZFMFmH/image.png</center>

-----

If you want to check yourself, I stored my <b>harmless</b> XSS [here](https://hiveblockexplorer.com/tx/8b379e3cd60fee22a8a370110dd9e3f1e800604b)<i class="https://hiveblockexplorer.com/tx/8b379e3cd60fee22a8a370110dd9e3f1e800604b"><sub>PS. now fixed by @penguinpablo.</sub></i>

If you click on that link:

- You will see the alert in the screenshot above;

- After 10s you will be redirected to this post of mine.

<br>This happens because the website parses my specially crafted TEXT as code and executed it! That should never happen.

-----

The code stored on that page could obviously be used for evil things like redirecting users to a phishing page!

A user could fall victim of it because a malicious attacker could keep spamming these type of messages into blocks OR, even worse, they could send another user a link crafted in this way as a proof of previous payment, in order to try to steal their private keys.

Guys that maintain hiveblockexplorer.com (@penguinpablo), please fix this ASAP!
Contact me on [Discord](https://discord.gg/SXuwsH7) if you need more details.
#xss #abuse  #security #disclosure #shipit #fixasap

<br>
-----

UPDATE 1: the same vulnerability [is also on steemblockexplorer.com](https://steemblockexplorer.com/tx/4fa8e280b5beab2ff18bc6d44b57a013903f9259) .. but maybe we can leave it like that there. Freaking Justin loves thieves after all.. 

-----

UPDATE 2: @penguinpablo today fixed the issue: https://hive.blog/hive/@penguinpablo/qfk9ge
Good stuff!!

Domain now removed from @keys-defender blacklist.
!remove hiveblockexplorer.com

-----
-----

<sub><b>Previous security disclosures of mine:</b></sub>
- <sub>Malicious ads injecting code on steemit for all iOS users: https://hive.blog/steemit/@gaottantacinque/steemit-got-hacked</sub>
- <sub>Reverse tabnabbing and clickjacking: https://hive.blog/security/@gaottantacinque/steemit-chat-is-unsafe</sub>

👍 gtg, pfunk, solominer, someguy123, pharesim, holger80, tipu, axel-blaze, steevc, knfitaly, utopiaeducators, likwid, marcocasario, saboin, auminda, techslut, discovery-it, steempostitalia, armandosodano, thenightflier, enforcer48, privex, shmoogleosukami, bluerobo, mister-omortson, lorenzopistolesi, spiceboyz, arcange, zaragast, libertycrypto27, alinakot, dylanhobalart, appalachain, mad-runner, spaghettiscience, ilnegro, good.game, new-world-steem, peterpanpan, phage93, gianluccio, heidi71, okean123, zacknorman97, keys-defender, edb, jaguar.force, neoxiancity, titti, pab.ink, marcolino76, abbenay, investprosper, promobot, digital.mine, fullnodeupdate, vittoriozuccala, maryincryptoland, riccc96, sbarandelli, tommasobusiello, straykat, frassman, unbanned, and 69 others
👎 dein-problem

`author`	gaottantacinque
`permlink`	hiveblockexplorer-com-is-vulnerable-to-stored-xss
`category`	hive
`json_metadata`	{"app":"hiveblog/0.1","format":"markdown","image":["https://images.hive.blog/DQmW8mXJtXpWsAWnUTaCfu161Ucxd1o7vW89HqZdTji4yLb/image.png","https://images.hive.blog/DQmRv2YobHvSKVkCtKnRK1D5WUP2LTYeRYdnfpVDjZFMFmH/image.png"],"links":["https://pixabay.com/illustrations/binary-black-cyber-data-digits-2170633/","https://hiveblockexplorer.com/tx/8437cffaa71b2fcf292584f19ea407c6dfb40b24","https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks","https://hiveblockexplorer.com/tx/8b379e3cd60fee22a8a370110dd9e3f1e800604b","https://discord.gg/SXuwsH7","https://steemblockexplorer.com/tx/4fa8e280b5beab2ff18bc6d44b57a013903f9259","https://hive.blog/hive/@penguinpablo/qfk9ge","https://hive.blog/steemit/@gaottantacinque/steemit-got-hacked","https://hive.blog/security/@gaottantacinque/steemit-chat-is-unsafe"],"tags":["hivedev","security","phishing","hacking","palnet","neoxian","xss","abuse"],"users":["penguinpablo","keys-defender"]}
`created`	2020-08-22 07:42:51
`last_update`	2020-09-12 03:51:09
`depth`	0
`children`	132
`last_payout`	2020-08-29 07:42:51
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	8.538 HBD
`curator_payout_value`	8.470 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	3,197
`author_reputation`	13,591,652,650,682
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,206,335
`net_rshares`	41,126,986,255,937
`author_curate_reward`	""

properties (23)vote details (134)

voter	rshares	pct
pharesim	1,423,908,866,052	100%
pfunk	7,601,323,585,528	100%
gtg	20,654,264,476,718	100%
donatello	2,254,223,156	4%
arcange	71,521,336,085	2%
raphaelle	2,140,442,520	2%
steevc	524,595,399,075	40%
someguy123	1,507,099,709,060	50%
appalachain	47,991,816,022	100%
okean123	32,721,841,643	100%
dylanhobalart	62,687,240,866	21%
techslut	280,368,406,199	50%
edb	23,801,031,783	20%
mauriciozoch	765,528,803	20%
steemitboard	2,871,715,212	2%
privex	93,629,313,415	100%
zaragast	70,374,965,859	45%
thenightflier	149,913,013,376	45%
avisk	1,217,314,879	100%
steempostitalia	203,893,430,249	45%
spiceboyz	73,028,631,973	40%
valchiz	1,602,729,832	10%
tipu	808,688,662,175	2.04%
alinakot	64,262,711,005	45%
suheri	552,419,632	8%
heidi71	34,132,809,036	45%
sciack	554,316,485	20%
gianluccio	35,521,026,511	24%
new-world-steem	39,366,767,135	23%
ciuoto	6,508,427,370	20%
mister-omortson	79,781,057,176	100%
marcolino76	11,558,566,294	30%
straykat	8,366,723,146	20%
fourfourfun	756,981,415	2.88%
bartheek	2,981,977,171	1.02%
alequandro	6,117,095,888	20%
mirkon86	1,748,787,543	40%
knfitaly	499,574,967,948	69.96%
pab.ink	11,682,831,933	20%
investprosper	10,558,507,787	50%
holger80	1,374,172,092,503	33%
shmoogleosukami	88,449,448,104	100%
piumadoro	5,497,035,400	20%
happy-soul	6,365,023,978	1.02%
anikys3reasure	561,914,018	10%
thebluewin	730,804,764	100%
auminda	294,791,169,137	100%
mad-runner	44,042,596,866	28%
frassman	8,315,630,240	50%
sbarandelli	8,996,738,593	40%
vittoriozuccala	9,143,259,710	20%
spaghettiscience	43,461,772,562	40%
lorenzopistolesi	76,016,924,716	40%
oscurity	7,182,324,743	32%
saboin	300,895,948,544	35%
bafi	2,449,427,163	40%
promobot	10,282,305,780	11.55%
phage93	37,056,915,870	100%
solominer	1,631,367,921,837	48%
jancharlest	1,489,126,101	2.04%
serialfiller	3,327,537,452	50%
enforcer48	117,254,152,112	15%
acquarius30	3,327,986,439	40%
digital.mine	10,193,869,487	0.42%
gaottantacinque	7,112,234,558	100%
nattybongo	1,857,320,074	0.8%
armandosodano	160,604,675,209	28%
ilnegro	40,363,082,318	20%
tommasobusiello	8,624,317,979	32%
coccodema	5,003,771,647	40%
fullnodeupdate	9,392,013,388	33%
marcocasario	305,679,869,449	100%
laissez-faire	92,481,395	100%
javier.dejuan	2,518,446,985	20%
elyon	1,639,368,298	20%
itegoarcanadei	1,152,744,277	40%
middleearth	1,587,238,280	40%
adinapoli	4,887,151,693	20%
akireuna	2,424,112,213	40%
discovery-it	229,440,668,675	40%
dein-problem	-6,678,688	-0.33%
jaguar.force	18,739,043,540	100%
bluerobo	81,532,291,390	100%
lallo	5,589,439,490	40%
cooperfelix	2,570,062,172	28%
abbenay	10,965,065,835	50%
titti	12,300,076,266	40%
maryincryptoland	9,139,971,645	40%
bigmoneyman	907,956,544	50%
stregamorgana	2,935,835,639	40%
meeplecomposer	3,150,777,546	24%
libertycrypto27	66,931,614,541	40%
karamazov00	666,947,649	40%
likwid	373,666,973,981	11.55%
tinyhousecryptos	530,276,045	5%
claudietto	3,253,327,652	20%
omodei	4,481,299,573	40%
ilovecanada	93,886,925	50%
xawi-ag	534,823,360	15%
neoxiancity	15,509,414,982	20%
good.game	39,944,811,111	100%
ilias.fragment	340,272,501	70%
capitanonema	4,780,649,937	40%
damaskinus	839,685,235	20%
btc4breackfast	561,812,799	34%
mk-sports-token	110,318,562	50%
themagazine	541,643,491	20%
bcm	1,026,014,273	1.53%
axel-blaze	582,944,172,259	40%
discovery-blog	4,772,872,764	40%
zacknorman97	29,118,195,056	40%
riccc96	9,033,495,703	20%
pecoshop	565,546,885	34%
delilhavores	7,100,608,778	40%
hjmarseille	5,049,293,310	36%
boomalex	757,193,772	34%
gmlrecordz	2,456,830,256	25%
machete9595	737,829,081	34%
kgsupport	1,744,829,285	50%
im-ridd	1,501,993,098	40%
bilpcoinbpc	1,489,975,894	16.5%
disagio.gang	1,006,973,939	40%
mengene	1,126,944,831	20%
keys-defender	24,159,419,301	100%
romytokic	1,234,446,188	20%
fengchao	2,737,627,413	2%
peterpanpan	37,827,029,812	40%
matteus57	1,541,529,746	40%
unbanned	8,252,076,565	0.42%
tokichope	620,439,944	20%
joseq1570	753,706,444	40%
flewsplash	3,589,948,224	40%
quinnertronics	1,193,704,611	100%
utopiaeducators	411,590,882,270	100%

@discovery-it · Aug 22 '20

$0.04

💪

👍 marcocasario, gaottantacinque

`author`	discovery-it
`permlink`	re-gaottantacinque-qfgh2c
`category`	hive
`json_metadata`	{"tags":["hive"],"app":"peakd/2020.08.3"}
`created`	2020-08-22 08:03:51
`last_update`	2020-08-22 08:03:51
`depth`	1
`children`	0
`last_payout`	2020-08-29 08:03:51
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.018 HBD
`curator_payout_value`	0.018 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1
`author_reputation`	67,549,360,255,364
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,206,553
`net_rshares`	160,492,181,150
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
gaottantacinque	0 B		7,247,378,717	100%
marcocasario	0 B		153,244,802,433	51%

@gaottantacinque · Aug 23 '20

Any update @penguinpablo please?

properties (22)

`author`	gaottantacinque
`permlink`	qfjd19
`category`	hive
`json_metadata`	{"users":["penguinpablo"],"app":"hiveblog/0.1"}
`created`	2020-08-23 21:29:33
`last_update`	2020-08-23 21:29:33
`depth`	1
`children`	0
`last_payout`	2020-08-30 21:29:33
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	32
`author_reputation`	13,591,652,650,682
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,235,389
`net_rshares`	0

@gtg · Aug 22 '20

$0.20

> UPDATE: the same vulnerability is also on steemblockexplorer(...)

They don't need XSS to steal from users. People who use ~~Steem~~ these days should assume that their funds can be stolen at any moment.

👍 solominer, marcocasario, saboin, arcange, keys-defender, gaottantacinque, davidmuhammad
👎 dein-problem

`author`	gtg
`permlink`	qfglzu
`category`	hive
`json_metadata`	{"app":"hiveblog/0.1"}
`created`	2020-08-22 09:50:21
`last_update`	2020-08-22 09:50:21
`depth`	1
`children`	10
`last_payout`	2020-08-29 09:50:21
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.101 HBD
`curator_payout_value`	0.101 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	205
`author_reputation`	461,812,694,713,691
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,207,729
`net_rshares`	822,908,960,579
`author_curate_reward`	""

properties (23)vote details (8)

voter	rshares	pct
arcange	70,544,814,232	2%
saboin	86,267,955,943	10%
solominer	336,576,660,746	10%
gaottantacinque	7,140,695,999	100%
marcocasario	297,598,000,194	100%
dein-problem	-121,753,598	-1%
keys-defender	24,156,056,881	100%
davidmuhammad	746,530,182	100%

@gaottantacinque · Aug 22 '20 (edited)

@gtg FYI: I launched this too today and obviosly it is NOT running on Steem 😏😏
<b>**[auto-replies to posts and comments with known phishing links]**</b>
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply

properties (22)

`author`	gaottantacinque
`permlink`	qfhbxh
`category`	hive
`json_metadata`	{"users":["gtg"],"links":["https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply"],"app":"hiveblog/0.1"}
`created`	2020-08-22 19:10:30
`last_update`	2020-08-22 19:56:27
`depth`	2
`children`	0
`last_payout`	2020-08-29 19:10:30
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	236
`author_reputation`	13,591,652,650,682
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,215,432
`net_rshares`	0

@keys-defender · Aug 22 '20

$0.03

Very true!  🙂😌

👍 marcocasario, gaottantacinque

`author`	keys-defender
`permlink`	qfgmpf
`category`	hive
`json_metadata`	{"app":"hiveblog/0.1"}
`created`	2020-08-22 10:05:39
`last_update`	2020-08-22 10:05:39
`depth`	2
`children`	0
`last_payout`	2020-08-29 10:05:39
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.014 HBD
`curator_payout_value`	0.014 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	14
`author_reputation`	91,066,153,650,894
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,207,868
`net_rshares`	124,061,227,697
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
gaottantacinque	0 B		0	0%
marcocasario	0 B		124,061,227,697	43%

@louis88 · Aug 23 '20

$0.02

Found also a new XSS not yet fixxed on the same site. Messaged u on Discord.

👍 dustsweeper, anli
👎 dein-problem

`author`	louis88
`permlink`	re-gtg-qfiorj
`category`	hive
`json_metadata`	{"tags":["hive"],"app":"peakd/2020.08.3"}
`created`	2020-08-23 12:45:21
`last_update`	2020-08-23 12:45:21
`depth`	2
`children`	7
`last_payout`	2020-08-30 12:45:21
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.012 HBD
`curator_payout_value`	0.012 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	76
`author_reputation`	1,186,680,373,396,485
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,227,570
`net_rshares`	115,420,327,244
`author_curate_reward`	""

properties (23)vote details (3)

voter	rshares	pct
anli	6,041,707,219	99%
dustsweeper	109,500,373,623	15.61%
dein-problem	-121,753,598	-1%

@gtg · Aug 23 '20

I'm not using a discord. Come to the https://openhive.chat
You can find me (@gandalf) on #general channel or #witness or #help.

👍 davidmuhammad

`author`	gtg
`permlink`	qfiq6k
`category`	hive
`json_metadata`	{"tags":["general","witness","help"],"users":["gandalf"],"links":["https://openhive.chat"],"app":"hiveblog/0.1"}
`created`	2020-08-23 13:15:57
`last_update`	2020-08-23 13:15:57
`depth`	3
`children`	6
`last_payout`	2020-08-30 13:15:57
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	127
`author_reputation`	461,812,694,713,691
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,228,002
`net_rshares`	762,769,910
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
davidmuhammad	0 B		762,769,910	100%

6 replies

@howo · Aug 22 '20

$0.31

Well done ! But please in the future contact the maintainer so he can patch the security issue before releasing it to the public. You are endangering the ecosystem by doing it that way.

👍 therealwolf, saboin, vermithrax

`author`	howo
`permlink`	qfgj5n
`category`	hive
`json_metadata`	{"app":"hiveblog/0.1"}
`created`	2020-08-22 08:49:03
`last_update`	2020-08-22 08:49:03
`depth`	1
`children`	4
`last_payout`	2020-08-29 08:49:03
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.224 HBD
`curator_payout_value`	0.086 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	185
`author_reputation`	515,737,821,338,631
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,207,068
`net_rshares`	1,686,943,643,127
`author_curate_reward`	""

properties (23)vote details (3)

voter	rshares	pct
vermithrax	0	100%
therealwolf	1,600,843,275,469	5%
saboin	86,100,367,658	10%

@gaottantacinque · Aug 23 '20 (edited)

$0.02

PS. @howo Today I launched this, better?? 😏😏
<b>**[auto-replies to posts and comments with known compromised domains or phishing links]**</b>
https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply

cc: @therealwolf  @saboin

👍 saboin, dustbunny

`author`	gaottantacinque
`permlink`	qfhbui
`category`	hive
`json_metadata`	{"users":["howo","therealwolf","saboin"],"links":["https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply"],"app":"hiveblog/0.1"}
`created`	2020-08-22 19:08:42
`last_update`	2020-08-23 01:54:00
`depth`	2
`children`	2
`last_payout`	2020-08-29 19:08:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.012 HBD
`curator_payout_value`	0.012 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	252
`author_reputation`	13,591,652,650,682
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,215,398
`net_rshares`	114,438,963,090
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
saboin	0 B		84,345,856,732	10%
dustbunny	0 B		30,093,106,358	8.99%

@howo · Aug 23 '20

Pretty cool tool !

properties (22)

`author`	howo
`permlink`	re-gaottantacinque-qfiizc
`category`	hive
`json_metadata`	{"tags":["hive"],"app":"peakd/2020.08.3"}
`created`	2020-08-23 10:40:30
`last_update`	2020-08-23 10:40:30
`depth`	3
`children`	1
`last_payout`	2020-08-30 10:40:30
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	19
`author_reputation`	515,737,821,338,631
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,226,102
`net_rshares`	0

1 reply

@keys-defender · Aug 22 '20 (edited)

$0.03

True, but..

- I did not share the exploit;
- I have been trying to reach him on multiple channels already;
- There's no session to be compromised on that site (as I mentioned in the post, only the redirection bit is dangerous).

👍

👍 marcocasario, gaottantacinque

`author`	keys-defender
`permlink`	qfgjbt
`category`	hive
`json_metadata`	{"app":"hiveblog/0.1"}
`created`	2020-08-22 08:52:42
`last_update`	2020-08-22 09:46:51
`depth`	2
`children`	0
`last_payout`	2020-08-29 08:52:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.014 HBD
`curator_payout_value`	0.014 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	231
`author_reputation`	91,066,153,650,894
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,207,108
`net_rshares`	132,252,837,423
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
gaottantacinque	0 B		7,121,855,970	100%
marcocasario	0 B		125,130,981,453	43%

@keys-defender · Aug 22 '20

Phishing defense - test

https://hiveblockexplorer.com/tx/be9507bc8e889c0831b73d8a2045890d99b70468

👎 keys-defender

`author`	keys-defender
`permlink`	qfh8pf
`category`	hive
`json_metadata`	{"links":["https://hiveblockexplorer.com/tx/be9507bc8e889c0831b73d8a2045890d99b70468"],"app":"hiveblog/0.1"}
`created`	2020-08-22 18:00:54
`last_update`	2020-08-22 18:00:54
`depth`	1
`children`	107
`last_payout`	2020-08-29 18:00:54
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	98
`author_reputation`	91,066,153,650,894
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,214,459
`net_rshares`	-2,370,941,931
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
keys-defender	0 B		-2,370,941,931	-10%

@keys-defender · Aug 23 '20

kid no phish

<h4>Do not click on any link on this post/comment</h4> ❗ ❗ ❗ ❗ ❗
<div class="phishy">
It contains a link that is currently on my list as PHISHING &nbsp; ❗<br>
-> "https://hiveblockexplorer.com/tx/*"
</div>
<br><br>More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
<br>@keys-defender

properties (22)

`author`	keys-defender
`permlink`	antiphish-keys-defender-bot-1598148637286
`category`	hive
`json_metadata`	{"tags":["phishing"],"app":"hivejs/kd"}
`created`	2020-08-23 02:10:39
`last_update`	2020-08-23 02:10:39
`depth`	2
`children`	106
`last_payout`	2020-08-30 02:10:39
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	333
`author_reputation`	91,066,153,650,894
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,220,682
`net_rshares`	0

@keys-defender · Aug 23 '20

kid no phish

<h4>Do not click on any link on this post/comment</h4> ❗ ❗ ❗ ❗ ❗
<div class="phishy">
It contains a link that is currently on my list as PHISHING &nbsp; ❗<br>
-> "https://hiveblockexplorer.com/tx/*"
</div>
<br><br>More info: https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss
<br>@keys-defender

properties (22)

`author`	keys-defender
`permlink`	antiphish-keys-defender-bot-1598148643584
`category`	hive
`json_metadata`	{"tags":["phishing"],"app":"hivejs/kd"}
`created`	2020-08-23 02:10:45
`last_update`	2020-08-23 02:10:45
`depth`	3
`children`	105
`last_payout`	2020-08-30 02:10:45
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	333
`author_reputation`	91,066,153,650,894
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,220,683
`net_rshares`	0

105 replies

@louis88 · Aug 23 '20

$0.02

@penguinpablo Please contact me on https://openhive.chat where you can just simple Login with your Private Posting Key. I found another XSS and would like to Discuss this with you. 

Thanks
@louis88

👍 dustsweeper, anli
👎 dein-problem

`author`	louis88
`permlink`	re-gaottantacinque-qfisxk
`category`	hive
`json_metadata`	{"tags":["hive"],"app":"peakd/2020.08.3"}
`created`	2020-08-23 14:15:24
`last_update`	2020-08-23 14:15:24
`depth`	1
`children`	1
`last_payout`	2020-08-30 14:15:24
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.012 HBD
`curator_payout_value`	0.012 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	198
`author_reputation`	1,186,680,373,396,485
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,228,794
`net_rshares`	116,013,447,512
`author_curate_reward`	""

properties (23)vote details (3)

voter	rshares	pct
anli	6,014,858,819	99%
dustsweeper	110,120,342,291	15.65%
dein-problem	-121,753,598	-1%

@gaottantacinque · Aug 23 '20

Yeh, multiple fields are affected. The server side sanitation in use in not complete.

properties (22)

`author`	gaottantacinque
`permlink`	qfj0vw
`category`	hive
`json_metadata`	{"app":"hiveblog/0.1"}
`created`	2020-08-23 17:07:09
`last_update`	2020-08-23 17:07:09
`depth`	2
`children`	0
`last_payout`	2020-08-30 17:07:09
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	85
`author_reputation`	13,591,652,650,682
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,231,492
`net_rshares`	0

@penguinpablo · Aug 24 '20

$0.08

Thank you for pointing this out.

It has been fixed. The URL below is now safe. Make sure it is not loading from your browser cache (even though it is harmless anyway).

https://www.hiveblockexplorer.com/tx/95c5b404d935cf1beba7d90bade6948f116e199e

👍 marcocasario, keys-defender, gaottantacinque
👎 dein-problem

`author`	penguinpablo
`permlink`	qfk9ge
`category`	hive
`json_metadata`	{"links":["https://www.hiveblockexplorer.com/tx/95c5b404d935cf1beba7d90bade6948f116e199e"],"app":"hiveblog/0.1"}
`created`	2020-08-24 09:09:51
`last_update`	2020-08-24 09:09:51
`depth`	1
`children`	2
`last_payout`	2020-08-31 09:09:51
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.041 HBD
`curator_payout_value`	0.041 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	247
`author_reputation`	792,312,678,950,166
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,243,629
`net_rshares`	353,168,272,562
`author_curate_reward`	""

properties (23)vote details (4)

voter	rshares	pct
gaottantacinque	7,255,089,645	100%
marcocasario	321,527,209,112	100%
dein-problem	-121,753,598	-1%
keys-defender	24,507,727,403	100%

@keys-defender · Aug 24 '20

Nice! Thanks for resolving this @penguinpablo.

Will remove hiveblockexplorer.com from [my blacklist](https://hive.blog/contest/@keys-defender/antiphish-keys-defender-bot-1598275741558) (it was temporary added until the issue was resolved).

Take care

👍 penguinpablo
👎 freddio

`author`	keys-defender
`permlink`	qfkpfc
`category`	hive
`json_metadata`	{"users":["penguinpablo"],"links":["https://hive.blog/contest/@keys-defender/antiphish-keys-defender-bot-1598275741558"],"app":"hiveblog/0.1"}
`created`	2020-08-24 14:54:48
`last_update`	2020-08-24 14:54:48
`depth`	2
`children`	0
`last_payout`	2020-08-31 14:54:48
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	251
`author_reputation`	91,066,153,650,894
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,248,283
`net_rshares`	-8,924,987,663
`author_curate_reward`	""

properties (23)vote details (2)

voter	weight	wgt%	rshares	pct	time
penguinpablo	0 B		40,323,849,960	1%
freddio	0 B		-49,248,837,623	-21%

@louis88 · Aug 24 '20

$0.02

please check your memo. i found another XSS which is also dangerous like the other.

👍 dustsweeper, gaottantacinque, anli
👎 dein-problem

`author`	louis88
`permlink`	qfkvcw
`category`	hive
`json_metadata`	{"app":"hiveblog/0.1"}
`created`	2020-08-24 17:02:57
`last_update`	2020-08-24 17:02:57
`depth`	2
`children`	0
`last_payout`	2020-08-31 17:02:57
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.012 HBD
`curator_payout_value`	0.012 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	83
`author_reputation`	1,186,680,373,396,485
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,250,441
`net_rshares`	111,290,522,595
`author_curate_reward`	""

properties (23)vote details (4)

voter	rshares	pct
anli	4,978,609,019	99%
gaottantacinque	6,854,033,429	100%
dustsweeper	99,579,633,745	10.9%
dein-problem	-121,753,598	-1%

@upvotebank · Aug 24 '20

Hi, I can see that you are doing well here on Hive. You should try our Upvote service, we have just opened up for registration. Take a look at our lates post. We need more members. 😉

properties (22)

`author`	upvotebank
`permlink`	20200824t155938530z
`category`	hive
`json_metadata`	{"tags":["comment"],"app":"peakd/2020.07.1"}
`created`	2020-08-24 15:59:39
`last_update`	2020-08-24 15:59:39
`depth`	1
`children`	0
`last_payout`	2020-08-31 15:59:39
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	182
`author_reputation`	44,533,286,469,385
`root_title`	"Stored XSS vulnerability in hiveblockexplorer.com !! [SOLVED]"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	99,249,364
`net_rshares`	0