WePay: Active mixed content issues on the site https://stage-go.wepay.com.

ID H1:503699
Type hackerone
Reporter mobius07
Modified 2019-05-11T18:00:20




Page https://stage-go.wepay.com/static/ contains active mixed content:

  • <script src="http://malsup.github.com/jquery.cycle2.js"></script>


Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, an attacker can replace a picture sent via HTTP with obscene content or a message to the user. The attacker can also view the activity of the user, observing which images are sent to the user. Knowing which pictures the user downloads, an attacker can figure out which pages the user is visiting. Active mixed content has access to the entire DOM tree or part of it. This type can change the behavior of a page protected by HTTPS, and, theoretically, steal passwords from the user. Unlike passive content, the active is much more vulnerable. In the case of active mixed content, the attacker can intercept the request by writing unwanted JavaScript code there, capable of stealing user personal data or installing dangerous software using vulnerabilities in plug-ins. The risk associated with active content does not depend on the type of site and how valuable the user enters on it. The page can contain both publicly available information and data that is available only after authorization. Even if the page is public and does not contain any valuable data, with the help of active content, an attacker can redirect a user to other pages and steal cookies from there.

Steps To Reproduce:

  1. Open any browser (Chrome, Opera etc).
  2. Follow this link https://stage-go.wepay.com/static/.
  3. View Developer Tools Ctrl + Shift + I (besides Internet Explorer - F12).
  4. Open the Console tab - there will be a warning that there are mixed content on the page.

Supporting Material/References:

  • Screenshots F433422, F433423
  • https://resources.infosecinstitute.com/https-mixed-content-vulnerability/

Sincerely, Vyacheslav.


If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.

A man-in-the-middle attacker can intercept the request and also rewrite the response to include malicious or deceptive content. This content can be used to steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example), and therefore the connection is not safeguarded anymore.