Lucene search

K
hackeroneKeer0kH1:862882
HistoryApr 29, 2020 - 11:02 p.m.

Reddit: XSS in redditmedia.com can compromise data of reddit.com

2020-04-2923:02:52
keer0k
hackerone.com
26

Description

Hi, i would like to report a XSS in redditmedia.com that can affect the reddit.com application. In redditmedia.com domain we are in the domain that reddit.com use to get all the thumbmails of any post.

I found that redditmedia.com/gtm/jail uses the “id” parameter to get a valid GTM id and import it from google tag manager. With that, I can create a google tag manager account, create my own html and generate a valid GTM id to be introduced at redditmedia.com/gtm/jail.

I created a gtm with the content &lt;html&gt; <img src> &lt;/html&gt; and it worked. The XSS was triggered. You can check using the id GTM-KM2VT3H.

I discovered two scenarios that can affect reddit.com, one of which is making this XSS make a cookie bomb, creating a large amount of cookies for .redditmedia.com that will make the service unavailable to the user (only for the user who accesses the malicious GTM page)

The PoC for this case is as follows:

&lt;html&gt;
 <img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
&lt;/html&gt;

Ps: you need to put this code into your GTM tag.

after the user accesses the GTM page containing this content, thumbs, videos and other media contained on reddit.com will not be reproduced (midias that come from redditmedia.com).

The second case, is where it would be even more dangerous, however, I was unable to reproduce it, because for it to work I would need to have a jsonp endpoint at * .redditmedia.com, however, I didn’t find it. But anyway, I will explain the case.

If I had a hypothetical JSONP at redditmedia.com/anypath/?jsonp=xxx I could use this JSONP as a chain for my XSS to write a service worker in the application, this way, no matter what ID was opened at redditmedia.com/gtm/jail?id=, I could control the page and make it return a malicious script to reddit.com creating the possibility of affecting users on reddit.com.

Steps to reproduce XSS

  1. go to https://redditmedia.com/gtm/jail?id=GTM-KM2VT3H&cb=aa
  2. XSS will be trigger

Steps to reproduce XSS to Cookie Bomb

  1. go to https://redditmedia.com/gtm/jail?id==GTM-MS246QG&cb=aa
  2. Cookie will be add
  3. navigate to https://reddit.com/
  4. some thumbs, images and other midias will no apear

Impact

Its possible to compromise that cross-origin and destabilize a website for the user