Twitter: XSS vulnerability in video player page

ID H1:15125
Type hackerone
Reporter guido
Modified 2014-08-02T19:02:26



I found a XSS vulnerability in your site. Try this:;base64,R0lGODlhAQABAIAAAAAAAAAAACH5BAAAAAAALAAAAAABAAEAAAICTAEAOw%27onload%3D%27alert(1000)

In browsers which do not adequately support the Content Security Policy header, this will execute alert(1000).

According to this page not all browsers are supporting this yet:, for instance my own Android phone seems to be vulnerable as I receive the alert when opening that URL.

It happens because of this in amplify-web-player.min.js:

this._$poster = $("<div class='poster-image-container'><img class='poster-image' src='" + h + "'><span class='glyphicon glyphicon-media-play' style='display:none'></span></div>"), this._$allControls = $("<div class='all-controls'></div>"), g.impression && g.impression(), e.container ? (this._$container = $(e.container), this._$container.addClass("amplify-container")) : (this._$container = $("<div id='container' class='amplify-container'></div>"), $("body").append(this._$container)), this.resize(e.width, e.height), this._$allControls.append(l), this._$allControls.append(f), this._$allControls.append(c), this._$;

(The variable 'h' is loaded with the value of the image_src parameter in the URL).

I hope this was helpful to you.