ESPN Content Injection Leads to Phishing Attack (Thanks ESPN #1)

We all know how receptive ESPN is to reporting security vulnerabilities… The last time I tried to be nice and report a vulnerability in ESPN, they flat out denied its existence.

So I’m done being the nice guy with ESPN. I’ll be a white hat hacker all I can for sites that recognize security researchers. I’m not even talking about rewards… all I want is a simple “thanks” message acknowledging me for my contributions.

Without further ado, here’s the first ESPN vulnerability I’m disclosing. Live and unpatched.

Visit this ESPN page and, apart from my tongue-in-cheek message, looks and appears like an actual error message… partially because I copied the vulnerability message and made it look exactly the same. And don’t worry, that link on ESPN takes you to example.com, not some website that will harm you. But it could.

Below is an actual error message, which I’m able to completely hide. I could exactly duplicate the style and make it indistinguishable from the original error message. What matters, though, is that ESPN displays HTML content on that page without escaping it. It does seem as if they filter out javascript keywords, so I’m still trying to escalate this to XSS. This currently is a vulnerability that could lead to a phishing attack showing an exact copy of ESPN, prompting the user to log in, and steal a user’s password.

Thanks, ESPN.