Lame hack attempt in firefox marketplace, in name field of Etsy reviews

RESOLVED INVALID

Status

Marketplace
Security
--
major
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: mruttley, Unassigned)

Tracking

2014-Q3
x86
Mac OS X
Points:
---

Details

(Reporter)

Description

4 years ago
Possible injection-style hack attempt spotted in review name titles:

http://i.imgur.com/DbXye2O.png

Nothing that looks terribly severe, but there could be more in other fields.

Taken from: https://marketplace.firefox.com/app/etsy
They were hitting verbatim over the weekend with netsparker - this could be the same folks.

I'm undoing the security flag on the bug as I don't think there is a security hole here, but I'll leave the bug open because we should look at the extent (if they have 1000 reviews, let's delete 'em) and also revisit our limit on reviews-per-hour -- I'm not even sure what it is.
Group: client-services-security
The review was over a month old and that account (at least) was only used for a few reviews.  

I don't run any user reports and the search function doesn't (easily) show all possible accounts with similar names, but sticking random bits of html in names does appear to be quite common though -  https://marketplace.firefox.com/lookup/user/4612488/summary  :)

Comment 3

4 years ago
The XSS was correctly caught and handled. Reviews can be moderated and handled. I don't think there's anything to do here apart from clean these out.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.