XSS on Twitch TV- 0day Vulnerability ( By Aaditya Purani)


I am today sharing one of my 0 days with you all. The vulnerability was XSS (Cross site scripting ) Via Image Javascript Injection. This is a creative way for XSS Injection. Read my advisory below and also a video too

Document Title:
XSS on Twitch TV- 0day Vulnerability

Aaditya Purani (https://twitter.com/aaditya_purani)

References (Source):

Release Date:

Affected Product(s):
Twitch TV Profile Options

Severity Level:

Technical Details & Description:

1) First of all login to your account on Twitch TV

2) Go to Profile Settings -> and there are bottom you could see select photo option

3) Choose a payload as image , for example : <img src=x onerror=prompt(404)>.exe and click on “Upload”

4) You will see that the script is being rendered on the diagloue box and a Popup will come of XSS.

5) You can use different payload for cookie stealing and IFrame too

25-07-2015 Contacted to Security Team
28-07-2015 Not considered it as Issue as CVS was low
28-07-2015 Second mail to the team, more information
2-08-2015  Still no patch. Unfixed
7-08-2015 Public disclosure

Contact Me


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s