XSS on Twitch TV- 0day Vulnerability ( By Aaditya Purani)

Hello,

I am today sharing one of my 0 days with you all. The vulnerability was XSS (Cross site scripting ) Via Image Javascript Injection. This is a creative way for XSS Injection. Read my advisory below and also a video too

Document Title:
===============
XSS on Twitch TV- 0day Vulnerability

Authors
============
Aaditya Purani (https://twitter.com/aaditya_purani)

References (Source):
====================

Release Date:
====================
2015-09-07

Affected Product(s):
====================
Twitch TV Profile Options

Severity Level:
====================
Medium

Technical Details & Description:
====================

1) First of all login to your account on Twitch TV

2) Go to Profile Settings -> and there are bottom you could see select photo option

3) Choose a payload as image , for example : <img src=x onerror=prompt(404)>.exe and click on “Upload”

4) You will see that the script is being rendered on the diagloue box and a Popup will come of XSS.

5) You can use different payload for cookie stealing and IFrame too

Timeline
====================
25-07-2015 Contacted to Security Team
28-07-2015 Not considered it as Issue as CVS was low
28-07-2015 Second mail to the team, more information
2-08-2015  Still no patch. Unfixed
7-08-2015 Public disclosure

Contact Me
====================
http://aadityapurani.com
https://securityresearchindia.wordpress.com
https://twitter.com/aaditya_purani

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s