Hello, my name is Sergey, and I do security research and hunt for bugs.

Now I want to tell you about one vulnerability, about which few people know, and for which you can earn good money.

I call it like this, "Pixel that steals your data." (It sounds very funny)

With this vulnerability, I was able to earn good money, I will show you my reports with this error.


So what is the vulnerability?

1. The fact is that each site has some forms for data exchange? for example comments, biographies, messages.

For example, take Jira

I inserted a picture using markdown “ !test.jpg|thumbnail!”
Let’s try uploading an image from another resource (Jira itself does not offer this feature.)

Now I will generate a trap of IP addresses on my site.


Instantly on my server came the entrance.

GET from 46.158.xxx.xxx

Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
Accept-Encoding: gzip, deflate, br
Referer: https://jira.site.ru/projects/PART/issues/PART-97?fi..
Accept: image/webp,image/apng,image/*,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: keep-alive
Host: site.one
Now, if we send this comment with a loaded picture from my site, everyone who sees this will give me their data

To create such a picture, you can use this service.


The fact is that many developers do not think about such trifles.
You can fix this in different ways, but in my opinion, it would be better if you proxy all objects from third-party resources and create a CSP.

This error will be accepted by programs only if you can easily steal data from the user, for example, if you find such an error in chat messages (where people communicate), you will be able to steal the IP addresses of your interlocutors in large quantities. Then it will be accepted.

Attention! Each site has its own markup, I used a special payload for Attlassian Jira!

HackerOne: https://hackerone.com/iframe

Twitter: https://twitter.com/iframe0x01 Have a good hunting)