VK.com: XSS at http://vk.com on IE using flash files

ID H1:66121
Type hackerone
Reporter tunnelshade
Modified 2015-10-30T12:23:19



  • Open the below url in Internet Explorer


  • Just hover your mouse over the page.

Minor Observations

  • No "X-Content-Type-Options: nosniff" header allows IE to play the flash file directly whereas other browsers present download dialog as the content type served is application/zip.
  • No X-Frame options will allow this attack to be placed inside an iframe and run stealthily.
  • Other flash files such as http://vk.com/swf/CaptureImg.swf will also be vulnerable in a similar fashion.