Nov. 21, 2009

Posted by in General | No comments

XSS in Engadget’s New Site

I’m noticing a trend of sites patching the more obvious cross-site scripting vectors, such as search fields, but ignoring parameters in secondary pages, such as Ajax interfaces. Several applications in the Month of Facebook Bugs had pages for making Ajax calls or loading advertisements that were never meant to be loaded directly, yet doing so opened the door to XSS attacks. Keep in mind that any page on a given domain can access that domain’s cookies.

Yet another case in point came to my attention this week. I noticed that the technology news site Engadget had launched a redesign, and I began poking around the new site. After a little while, I came across four XSS vulnerabilities, all on the main domain. I promptly reported the holes and they were silently patched in less than a day or two. Since they’ve all been fixed, I’ll list the example URIs I sent here for the record:


Previously, each one of these pages loaded the inserted script, which brings up an alert dialog containing the user’s cookies for Engadget. Kudos to the team behind Engadget for the quick fixes, and hopefully this will serve as another reminder to all developers to leave no page unchecked when evaluating security issues.


  1. Tweets that mention XSS in Engadget’s New Site | Social Hacking -- - [...] This post was mentioned on Twitter by theharmonyguy and greychampion, SocialMediaSecurity. SocialMediaSecurity said: XSS in Engadget’s New Site ...
  2. uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: New Post: XSS in Engadget's New ...
  3. Engadget – How Can I Watch Cable Tv on My Pc - [...] XSS in Engadget’s New Site | Social Hacking [...]

Leave a Reply