Responsible Disclosure - XSS Flaw at LetsSaveMoney.com
bug NaBloPoMo security xss · 250 words · Viewed ~400 times.
Another day, another bug!
LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. Links removed, because the site has disappeared.
My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug.
It's a depressingly familiar story - do a search which includes some HTML and watch it being echoed back to the user.
Once you can get a page to load an external resource, it's game over for security. An attacker can load up JavaScript, prompt the user for their password, display unauthorised images, etc.
I posted a report on XSSposed and alerted LetsSaveMoney via their "Contact Us" form.
Impressively, I received an email back a few minutes later. I provided the details over email and the site was fixed an hour later!
That's an excellent response time.
If you run a website, familiarise yourself with OWASP's Top 10 Web Vulnerabilities. If you're a worker in a high-tech industry, you should consider joining Prospect as your Trade Union.
Bounty
While I neither asked for, nor expected, a reward - I was delighted to receive an Xmas gift hamper as a token of their appreciation.
Hurrah!
