Stumbleupon Cross-Site Scripting Vulnerability
That being said, there are still work arounds that exist. In the proof of concept I was able to execute, the vector of attack was the invitefriends.php file which does not sanitize the email1 input.
?sendername=n&message=n&senderemail=[email protected]&email1=[[vulnerable field]]
Subsequently, if an individual is logged into the Stumbleupon website (not simply the toolbar), you can hijack their account to perform multiple tasks, but are still limited to their homepage. One of the first tasks we need to do is acquire the users temporary fauth/ftoken id, which Stumbleupon uses for form field authorization. If Stumbleupon.com simply generated a new fauth/ftoken every time a form is called, they would have stopped this vulnerability immediately. However, because the fauth/ftoken is the same across the site, it becomes quite easy to simply grab the fauth/ftoken from the URL submission page (http://www.stumbleupon.com/url/[[a url]] via an AJAX request and simple DOM calls.
This can be then used in conjuction with the REST method for adding friends… http://www.stumbleupon.com/user.php?friend=[[insert your numeric ID]]&fauth=[[the fauth]]
Of course, the effectiveness of this attack is greatly diminished by the fact that the user has to still have session cookies from an actual website login to StumbleUpon – not just via the toolbar.No tags for this post.