HackerOne: Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.

2014-04-24T04:17:10
ID H1:9479
Type hackerone
Reporter uname
Modified 2015-04-28T05:06:57

Description

Hi,

The following host "profile-photos-user-content.hackerone.com" does not set the x-content-type-options header to nosniff. If a malicious user is able to upload an image with script content (Possible within the comments metadata) Internet Explorer (up till IE8) might render the content as Javascript and execute malicious code.

The problem is more severe since the photos are uploaded to a subdomain of hackerone.com.

Cheers,