[PoC] Private.me Reflected Cross-Site Scripting [Bug Bounty Hunting]
#1
[PoC] Private.me Reflected Cross-Site Scripting [Bug Bounty Hunting]

[Image: logo_privateme_mask_small.png]

Private.me is a privacy platform designed to keep an individual’s personal data private and secure. Using a patent pending system, Private.Me has built a forgetful web service that allows its users to control who can access their private data. When Private.Me is used for search all the data is encrypted and dispersed in geographical dispersed organisations.

----------------------------------------------------------

Having a XSS vulnerability easily exploitable by beginners on a site dedicated to the privacy protection? humm ... A stupid security flaw like this can ruin the security of your users.

Screen:
[Image: GvIHmKS.png]

This is the PoC:
Code:
____        _           _          ____              
|  _ \  __ _(_)___ _   _| | _____  |  _ \  __ _ _ __  
| | | |/ _` | / __| | | | |/ / _ \ | | | |/ _` | '_ \
| |_| | (_| | \__ \ |_| |   <  __/ | |_| | (_| | | | |
|____/ \__,_|_|___/\__,_|_|\_\___| |____/ \__,_|_| |_|
Underground hacker - security researcher - @TheHackersBay

                        
GET : https://private.me/search?q= --> XSS HERE <-- &t=Web
Host: private.me
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://private.me
Cookie: _pk_id.3.e849=ad7bccca497f2623.1433667799.1.1433669465.1433667799.; _pk_ses.3.e849=*; session=1c8118310afa34c248fa558a8e5651fdba039830gAJVTmJyd3NyLXNlc3Npb246NjAxMGZmMjcxOTJiNmY4MWY0ZDA2MjgzY2JjYThmNTJmYjM1NjIzYWE0NTNjNTY0MDQyODQzM2U1YjVkOWZlOHEBLg==
Connection: keep-alive

----------------------------------------------------------------------------------------------

POST : https://private.me/saas/search/v1/search?query= --> XSS HERE <-- &skip=0&mode=Web
Host: private.me
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://private.me
Content-Length: 43
Cookie: _pk_id.3.e849=ad7bccca497f2623.1433667799.1.1433669498.1433667799.; _pk_ses.3.e849=*; session=1c8118310afa34c248fa558a8e5651fdba039830gAJVTmJyd3NyLXNlc3Npb246NjAxMGZmMjcxOTJiNmY4MWY0ZDA2MjgzY2JjYThmNTJmYjM1NjIzYWE0NTNjNTY0MDQyODQzM2U1YjVkOWZlOHEBLg==
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
POST: {"resultRows":[],"prevSkip":0,"nextSkip":0}

Code:
<script id="tmpl-search-results-web" type="text/template">

     {{#resultRows}}
        <div class="sc-single-result">
           <div class="sc-search-result-title">
           <a href="{{{linkUrl}}}">{{{htmlTitle}}}</a></div>
           <p>
           {{{htmlSnippet}}}
           </p>
           <div class="sc-search-result-url">
           <img src="{{{favicon}}}" width=16 height=16>
           {{{displayLink}}}
           </div>

           <div class="sc-result-share">
            <img src="/static/chevronTall.png" />
            <div class="sc-result-share-box">
              <ul>
              Share:
              <li><a class="share-facebook" target=_blank href="https://www.facebook.com/sharer.php?u={{{linkUrl}}}"><i class="fa fa-facebook-square"></i>Facebook</a></li>
              <li><a class="share-twitter" target=_blank href="https://twitter.com/share?url={{{linkUrl}}}"><i class="fa fa-twitter-square"></i>Twitter</a></li>
              <li><a class="share-google-plus" target=_blank href="https://plus.google.com/share?url={{{linkUrl}}}"><i class="fa fa-google-plus-square"></i>Google+</a></li>
              <li><a class="share-email" target=_blank href="mailto:?subject=Link I found on private.me&body={{{linkUrl}}}"><i class="fa fa-envelope"></i>Email</a></li>
                                              
            </ul>
            </div>  
           </div>        
        </div>
     {{/resultRows}}

</script>

The mail I sent:
[Image: RRDjbod.png]

Nice reward for this kind of XSS.
Then I discussed with the security team, their system looks trusted, the team is composed of serious and skilled people.
Reply
#2
Damn, good job! 125 dollars is really nice, especially for something as simple as a xss vulnerability. Enjoy the money Smile
Reply
#3
(06-10-2015, 11:36 PM)Insider Wrote: Damn, good job! 125 dollars is really nice, especially for something as simple as a xss vulnerability. Enjoy the money Smile

I promise, I'll post something most advanced the next time. Lol

(06-10-2015, 11:52 PM)Sphinx Wrote: Nice find, Daisuke!

It is nice to see people actually payout for reports such as this. There have been too many occasions where I have seen companies not offer payouts after others have reported serious vulnerabilities.

Yes.
They are open-minded people, they take privacy to serious. But I think they rewarded me because I hacked their site few minutes after they followed me on twitter!
Reply
#4
Wow wtf finally people who pay up, rofl sometimes i hacked some company's with way more data severe leaks, think of sql injection for example, and then they dont even care..
Or they say that they already knew it, and are working on patching the problem. Lulz
Reply
#5
Impressive work keep it up like this, u may get paid very well in the near future from pentesting,etc.
Reply
#6
Good job.
Finally someone has begun to take security seriously , and most important ,will pay you Big Grin
Reply
#7
It's literally funny lol . Site name is Private.me while They Don't even have basic xss protection on there search parameter
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  POC for XML-PRC ? h3x0r 1 5,869 05-20-2019, 01:11 PM
Last Post: Insider
  bug hunting thunder 1 1,648 05-20-2019, 01:08 PM
Last Post: Insider
  is my site secure from common hacking? mhiats37 1 2,185 05-11-2019, 03:03 AM
Last Post: misfit
  [PoC] RunBox.com x MailChimp.com - Stored XSS Vulnerabilities (Bug Bounty Hunting) Daisuke Dan 3 5,747 04-24-2019, 08:47 PM
Last Post: thunder