XSS found in @drako's scribe.hivekings.com [solved]

_src

DISCLOSURE:

@drakos I found an XSS in one of the sites you maintain. Sending you the details in a private message!

---

---

UPDATE:

After the released fix, code execution is now prevented but the site is still not safu.. 😅😅😅😅😅😅😅😅
New exploit:

---

Post-mortem summary

This week @runridefly, an account with $3,324.79 in their wallet, accidentally leaked their private ACTIVE key:

As usual, my bot @keys-defender automatically warned them via automated reply and transfer memo and put their funds into their savings.

This is the culprit post:

After noticing the new leak, I used hiveblockexplorer.com to see the raw content of the post in order to understand where they leaked their key (usually it's pasted in place of a link or image source).

I could not find it so I used @drako's wonderful tool scribe.hivekings.com that allows you to see past edits.

There I noticed that some images were rendered by the browser where they were not supposed to be. That screamed XSS!

I did a couple tests:

and verified that it was indeed the case.

The site is now safu. I will keep you posted on other findings! 😎👍 😎👍

😎👍😎👍

---

---

_{Previous security disclosures of mine (from the most recent):}