03.18
Summary
Jaiku was vulnerable to a persistent XSS vulnerability. It would detect and linkify URLs using certain protocol handlers (ie: javascript, data) that could take malicious actions on behalf of an attacker.
How did it work?
The commit that patched the vulnerability can be seen at http://code.google.com/p/jaikuengine/source/detail?r=157.
Jaiku used an overly broad regular expression in an attempt to detect
URLs to turn into links. That regular expression allowed people to
create links using a number of protocols, including javascript:
and
data:
, which can be used by an attacker to take malicious actions.
More Information
The vulnerability mentioned here has been confirmed patched by the Google Security Team. I owe them a ton of thanks for organizing this program and giving me a chance to improve my skills.
Interested readers are encouraged to take a look at other vulnerabilities I’ve reported under Google’s Vulnerability Reward Program.