In this report, the researcher was able to perform AngularJS Template Injection on our Support site in order to retrieve data, including email address, userid and tokens. Typically, a user is always able to retrieve this information about themselves and on its own, this is known behavior. However, by utilizing a manipulated Avatar URI value, the researcher was able to demonstrate how an attacker could exfiltrate another user's email, userid, and tokens to an external server owned by the attacker. The researcher was further able to demonstrate other types of attacks possible via AngularJS Template Injection, but the most interesting one to us was the data exfiltration POC.
We resolved this issue by updating our version of AngularJS, and by applying the
ng-non-bindable directive to the vulnerable fields. This directive prevents AngularJS from compiling or binding the contents of the current DOM element, making it effective at preventing XSS and Code Injection attacks.
Sometimes you don't need a fully-fledged XSS to leak useful data!
An AngularJS template injection was possible in the search field giving me access to the whole AngularJS scope for the page.
A sandbox escape was found later on rendering the unorthodox approach unnecessary, but extremely fun nonetheless—also given the fact that Rockstar Games decided scoped this flaw as a Reflected XSS before that happened.