Critical XSS Vulnerability Found In The Most Famous Anonymous Feedback Platform Sarahah

Bad News, the most trending anonymous feedback platform Sarahah has critical XSS vulnerability. Once exploited, an attacker can read, change the actual message, he can delete the account and take over your account by changing the email address.

What Is XSS Vulnerability?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications platforms.
XSS enables attackers to inject client-side scripts into web pages viewed by other users. An XSS vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Rony, the security researcher of the red teaming operations at Defencely Cloud Security Pvt. Ltd has found the XSS vulnerability in the anonymous feedback platform Sarahah.

What Is Sarahah?

Sarahah is an application, which helps in getting feedback from your friends and coworker anonymously.

Exploiting The XSS Vulnerability On Sarahah.

The researcher first sent the simple and classic snippet of JavaScript code to their own dashboard. By entering the javascript code an ‘Alert Box’ should pop-up into their user’s dashboard, but the code didn’t work. The JavaScript just echo off back to dashboard rather than injecting.

The researcher somehow enumerated the application and noted down the AJAX request going into the server and calling the JSON format contents and parses them to the user’s dashboard. The researcher got the second chance to attack the application.

Rony crafted their own payload in the JSON request.

Critical XSS Vulnerability Found In The Most Famous Anonymous Feedback Platform Sarahah

According to the researcher, the specially crafted JSON request is only called and echoes off to the dashboard, when the user scrolls down and after that, the AJAX request is made through URL.

“https://sarahah.com/Messages/GetReceivedMessagePage?page=1″

Critical XSS Vulnerability Found In The Most Famous Anonymous Feedback Platform Sarahah

Python Script Developed To Demonstrate XSS Vulnerability In Sarahah.

Another security researcher named, Shawar Khan have coded the python script for demonstrating the XSS vulnerability in Sarahah platform.

Critical XSS Vulnerability Found In The Most Famous Anonymous Feedback Platform Sarahah

How Does It Work?

Shawar Khan, have coded multiple exploits for exploiting the XSS vulnerability. The python script injects the payload into the target account and then flood the users with 20 messages so the payload gets into the vulnerable area and executes on the scroll.

The security researcher has uploaded the three XSS exploit’s code on GitHub.

1)Account Deletion Exploit Code.
2)Email Change / Account Takeover Exploit Code.
3)Account Message Read and Capture.

Want To Protect Yourself?

This XSS vulnerability affects the user only when the user is using Browser.
If the user is using mobile application for android or IOS, the attack won’t works as it’s properly protected there.
So if you want to protect yourself from the vulnerability start using the Sarahah mobile application.

You can get more in-depth research about the vulnerability here.

You can get more in-depth research on python script here.

GitHub link for the exploit code here.

Let’s see when the Sarahah developer will fix the XSS vulnerability to safeguard their users.

 

Get more stuff like this
in your inbox

Subscribe Us And Get Latest Tech News, Hacking News, Science News, And Latest Gadgets News Directly Delivered To Your Inbox

Thank You For Subscribing. Verification Email Has Been Send To You. Please Verify !

Something Went Wrong.

LEAVE A REPLY

Please enter your comment!
Please enter your name here