Sucuri: Usage of HTTP for exporting graph data as images

2014-09-27T17:23:43
ID H1:29288
Type hackerone
Reporter webpentest
Modified 2014-11-17T14:30:52

Description

Whenever a user of waf.sucuri.net exports his reports graph data as a png, an unencrypted request is sent over to export.highcharts.com.

This enables a mitm-able attacker to sniff and|or replace exported image.

Also, the whole practice of offloading potentially private user data to an unrelated website is questionable.

Solution: replace http://export.highcharts.com with httpS://export.highcharts.com