Hackers Karim Rahal and Ibram Marzouk have found multiple cross-site scripting vulnerabilities in the HTML Comment Box that opened avenues to compromise visitors to some used by some 2 million websites.
Rahal (@KarimPwnz) and Marzouk (@0xibram), both 14 year-old students based in Lebanon, reported the flaws through Detectify's bug bounty program finding the cross-site scripting exploits worked despite attempts to sanitise.
The bugs would have allowed attackers to insert code into site comments that could execute and exploit visitors who encountered it.
"I used a simple Google dork to find out how many websites used the third-party comment section; I was astonished! About 2,000,000 results were displayed!" Rahal says.
"I wasn’t able to get the developer’s contact information for a while until Detectify invited me to its new Detectify Crowdsource program."
Rahal was able to bypass the developer's cross-site scripting filters using double > and < tags and closing attributes with a semicolon.
Developers patched the flaw hours after it was reported.
Cross-site scripting remains the most common web app vulnerability soaking up more than a third of all bugs, according to Swiss security wonks at High-Tech Bridge.
The vector is sufficiently terrible that Google has spent some US$1.2 million in cross-site scripting bug bounties over the last two years, and has kicked off a dedicated effort to crush it across the broader net. ®