Netflix Party — XSS Vulnerabilities

https://netflixparty.com Chrome extension that lets you watch Netflix shows and movies with your friends.

User nickname

Discovery

<script>alert(1)</script>

Vulnerability

Unfiltered user input being inserted into HTML

Exploits

Users exchange messages (just me right now 😢 very lonely)
After changing nickname to payload, all the messages are changed

Fix

Fixed code in version 1.7.7 where the userNickname variable is also escaped.

XSS Vulnerability — User Icon

Discovery

Vulnerability

x" onerror=alert(1)
// which turns into
<img src="chrome-extension://.../img/x" onerror="alert(1)">
// this can be stored by (while in context of NetflixParty)
chrome.storage.local.set({"userIcon": 'x" onerror=alert(1)'});
User can then join any party or have members join their party, and the JavaScript will be executed instantly

Exploits

Fix

Conclusion

Extra Info