Twitter: HTML/XSS rendered in Android App of Crashlytics through fabric.io

2014-12-25T09:40:56
ID H1:41856
Type hackerone
Reporter akhil-reni
Modified 2015-02-18T18:38:02

Description

Hey hi,

While in fabric , the app name is rendered as HTML/XSS in android app of Crashlytics like shown in the screenshot.

Steps to reproduce: Create an app with the name of payload in my case i have used, "><img src=x> under the following URL https://www.fabric.io/img-srcx-onerrorprompt03/android/apps/imgsrcxonerrorprompt0.myapplication/beta/releases/latest (replace the app names wherever needed) Send invitation to users to test the APP users will get the invitation and will be forced to download the Crashlytics app, once downloaded they will see the app name like in the screenshot.

Regards, Karthik Wesecureapp