Hive App subject to multiple security vulnerabilities

<hr /> <p dir="auto"><img src="https://images.hive.blog/768x0/https://files.peakd.com/file/peakd-hive/keys-defender/23wWpaeUGCucxr39rwxbbt4WREDfKtGT7ZFp9roiHeRJPzgZM9o16RowjZoFVtq93emMN.png" alt="watermark.png" srcset="https://images.hive.blog/768x0/https://files.peakd.com/file/peakd-hive/keys-defender/23wWpaeUGCucxr39rwxbbt4WREDfKtGT7ZFp9roiHeRJPzgZM9o16RowjZoFVtq93emMN.png 1x, https://images.hive.blog/1536x0/https://files.peakd.com/file/peakd-hive/keys-defender/23wWpaeUGCucxr39rwxbbt4WREDfKtGT7ZFp9roiHeRJPzgZM9o16RowjZoFVtq93emMN.png 2x" /> <p dir="auto"><center><sub><a href="https://crypto-shots.com/discord" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">server<span>Image AI-generated by <a href="/@karina.gpt">@karina.gpt in the Crypto Shots <hr /> <p dir="auto">I recently volunteered to test a Hive Dapp (that won't be named at the very least until all the flagged issues are resolved). <h4>Please find below my findings. <p dir="auto">Use these to ensure that your own Hive frontend has protections in place for things like these. <h4>Don't know how? <p dir="auto">Stay tuned for my guide on how to build <code>Secure Hive Applications !<br /> It should be out around mid-July with links to a test repo. <hr /> <p dir="auto"><br /> <h2>1- Stored XSS (Cross-Site-Scripting) <p dir="auto">Missing sanitization for SVG files.<br /> The following snippet was able to trigger the code execution every time the page was visited: <pre><code><div> <svg width="200px" height="200px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <script type="text/ecmascript"> alert(1) </script> <circle cx="100" cy="100" r="80" fill="green"></circle> </svg> </div> <p dir="auto">To learn more about XSS vulnerabilities see:<br /><span> <a href="https://owasp.org/www-community/attacks/xss" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://owasp.org/www-community/attacks/xss <hr /> <p dir="auto"><br /> <h2>2- Open Redirect <p dir="auto">Triggered a redirect: <code><meta http-equiv="refresh" content="0;URL=https://google.com"><br /> Did not execute: <code><meta http-equiv="refresh" content="0;URL=javascript:alert()"> <p dir="auto">To learn more about malicious redirect see:<br /><span> <a href="https://learn.snyk.io/lesson/open-redirect" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://learn.snyk.io/lesson/open-redirect <p dir="auto"><strong>Exploit: <blockquote> <p dir="auto">This can be used to redirect to a page very similar to yours and it could prompt you to start any operations (eg. transfer) from your Hive Keychain masking it as a simple login. <hr /> <p dir="auto"><br /> <h2>3- Pinata Gateway token leak <p dir="auto">This is what gets generated for all image uploads... <p dir="auto"><code> <p dir="auto">Note the <code>?pinataGatewayToken URL parameter. <p dir="auto">Impact: <ul> <li>Unauthorized Access:<br />  <br /> <em>If someone gains access to your Pinata gateway token, they can use it to interact with your IPFS content. This could lead to unauthorized modifications, deletions, or other actions on your data.<br /> <em>It’s crucial to keep your gateway tokens secure and avoid sharing them publicly. <ul> <li>Performance Issues:<br />  <br /> <em>Public IPFS gateways, including Pinata’s public gateway, have rate limits and can be slower due to heavy usage by users worldwide.<br /> <em>When you use a public gateway frequently, you might experience slower loading times for your content.<br /> <em>Pinata recommends using public gateways only for testing purposes, not production apps. <hr /> <p dir="auto"><br /><br /> <sub>Less critical ones...<br /> <br /> <h2>4- Clickjacking <p dir="auto">An attacker can simply embed full-screen your website as is and display an overlay with invisible fields on top of the real login fields, in order to steal users' credentials. <p dir="auto">Or they could show an overlay with an amazing offer to subscribe to your services with a huge discount by paying with a credit card or sending funds to the attacker's account. <p dir="auto">To learn more about clickjacking:<br /><span> <a href="https://owasp.org/www-community/attacks/Clickjacking" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://owasp.org/www-community/attacks/Clickjacking <hr /> <p dir="auto"><br /> <h2>5- Reverse Tabnabbing: <p dir="auto"><code><a href="https://peakd.com" target="_blank">test</a> <p dir="auto">None of the external links have rel=“noopener noreferrer” to protect from it. <p dir="auto">To learn more about reverse tabnabbing:<br /><span> <a href="https://owasp.org/www-community/attacks/Reverse_Tabnabbing" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://owasp.org/www-community/attacks/Reverse_Tabnabbing <hr /> <p dir="auto"><br /> <p dir="auto">That's all folks.<br /> Stay tuned for my guide on Securing your Hive Apps! <p dir="auto"><br /> <hr /> <div class="pull-right"> <sub><b>My security disclosures for Hive: <br /><sub>- <sub><a href="https://hive.blog/hive-139531/@gaottantacinque/stored-xss-vulnerability-in-one-of-the-hive-frontends">XSS vulnerabilities in #########.com <br /><sub>- <sub><a href="https://hive.blog/hive-139531/@gaottantacinque/defacement-phishing-vulnerability-in-one-of-the-most-used-hive-tools">XSS vulnerabilities in hive-db.com <br />- <sub><a href="https://hive.blog/hive/@gaottantacinque/xss-found-in-one-of-drako-s-websites-will-add-details-after-it-s-patched">XSS vulnerabilities in scribe.hivekings.com <br />- <sub><a href="https://hive.blog/hive/@gaottantacinque/hiveblockexplorer-com-is-vulnerable-to-stored-xss">XSS vulnerabilities in hiveblockexplorer.com <br />- <sub><a href="https://hive.blog/steemit/@gaottantacinque/steemit-got-hacked">Malicious ads redirecting all Steemit iOS users to a phishing site <br />- <sub><a href="https://hive.blog/security/@gaottantacinque/steemit-chat-is-unsafe">Reverse tabnabbing and clickjacking in steem.chat and steeemit registration page <br /><br /> <sub><b>Other contributions: <br /><sub>- <sub><a href="https://hive.blog/hive-139531/@keys-defender/phishing-on-hive-no-more-solution-for-all-frontends">Universal script to prevent phishing in all Hive frontends <br /><sub>- <sub><a href="https://peakd.com/hive-169321/@keys-defender/new-commands-and-ban-lists" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Commands for community reports and ban/mute lists<br /><br /> <sub>Future development:   <sub><a href="https://peakd.com/hive-169321/@keys-defender/re-keys-defender-qtca68" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">plan<br /><br /> <sub>Last report: <sub><span><a href="https://peakd.com/@keys-defender/monthly-report-june-july-august-2021-hive-13323" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">https://peakd.com/@keys-defender/monthly-report-june-july-august-2021-hive-13323 <p dir="auto"><b>Keys-Defender features:<div class="pull-left"> <div> - <sub><a href="https://hive.blog/steem/@gaottantacinque/the-keys-defender-bot-is-live-in-beta-mode"><b>Keys protection<sub> [live scan of <i>transfers/<i>posts/<i>comments/<i>other_ops. Warnings (<a href="https://steemit.com/newlife/@keys-defender/re-julymae07-ngswhenapplicablesub-1618660173474" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">reply and <a href="https://hiveblocks.com/tx/893bc2fda6e5e6689595fbaa386b845749cba0a4" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">memo), auto-transfers to savings <a href="https://peakd.com/hivedev/@keys-defender/keys-defender-development-update-v1-2-1-released" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">until fully restored, auto-reset of keys, ..] {see automatic <a href="https://hive.blog/hive-138876/@keys-defender/keys-defender-compromised-posting-key-successfully-detected">posts on leak and <a href="https://hive.blog/hive/@keys-defender/successfullyprotected-1600122002275">monthly reports} <br /><i>- <sub><a href="https://hive.blog/hive/@keys-defender/new-feature-phishing-detection-and-auto-reply"><b>Phishing protection <sub>[live scan of comments and posts to <a href="https://peakd.com/hive-129496/@keys-defender/antiphish-keys-defender-bot-1616855688427" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">warn users against known <a href="https://peakd.com/hive-138876/@keys-defender/new-phishing-wave-do-not-fall-for-it-there-is-no-mainnet-launch" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">phishing campaigns and compromised domains or <a href="https://hive.blog/hive-193552/@keys-defender/antiphish-keys-defender-bot-1618583136062">accounts, <a href="#" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">scan of memos and auto-replies, anti phishing countermeasures - eg. <a href="https://peakd.com/hivedev/@keys-defender/script-to-fill-a-phisher-s-database-with-thousands-of-false-positives" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">fake credentials] <br /><i>- <sub><a href="https://hive.blog/hivedev/@keys-defender/new-feature-added-to-keys-defender-plagiarism-detection"><b>Re-posting detection <sub>[mitigates the issue of re-posters] <br /><i>- <sub><a href="https://hive.blog/hive-139531/@keys-defender/new-feature-code-injections-attempts-detection-xss-sql-injections-csrf"><b>Code injection detection <sub>[live scan of blocks for malicious code targeting dapps of the Hive ecosystem] <br /><i>- <sub><a href="https://hive.blog/hive-192847/@keys-defender/anti-spam-efforts"><b>Anti abuse efforts <sub>[counteracts <a href="https://hive.blog/hive-192847/@keys-defender/anti-spam-efforts">spam from hive haters and <a href="https://hive.blog/hive-169321/@gaottantacinque/10-line-script-that-anyone-can-use-to-downvote-abuse-help-counteract-ongoing-farming-on-hive">milking campaigns] <br /><br /> <hr /> <p dir="auto"><br /> <div class="pull-right"> <a href="https://discord.gg/SXuwsH7" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link"><img src="https://images.hive.blog/DQmSFrtHjrjsR3y5R6SuBJLcDG9iQYtVebsBdpRHS3YwAgv/image.png" /> <div class="pull-left"><h5>To support this project.. <div><span><img src="https://images.hive.blog/DQmWmRN7k741DbkG5jL19Y5h1H5tqhpHLJUtGiTgPUy3C4y/image.png" /> <center> <div> <div> - <b><sub>Delegations:  <sub> <a href="https://hivesigner.com/sign/delegateVestingShares?delegator=&delegatee=keys-defender&vesting_shares=10%20HP" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">10, <a href="https://hivesigner.com/sign/delegateVestingShares?delegator=&delegatee=keys-defender&vesting_shares=50%20HP" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">50, <a href="https://hivesigner.com/sign/delegateVestingShares?delegator=&delegatee=keys-defender&vesting_shares=100%20HP" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">100 <div>- <b><sub>Curation trail: <sub><sub>join <a href="https://hive.vote/dash.php?trail=keys-defender&i=1" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">my curation trail to upvote all my posts with a fixed weight. <div>- <b><sub>Downvote trail: <sub><sub>join <a href="https://hive.vote/dash.php?trail=keys-defender&i=17" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">my downvote trail to follow my downvotes on security threats and abuse. <p dir="auto"> <p dir="auto"><center><div class="phishy"><b>- VOTE for our <a href="https://vote.hive.uno/@keys-defender" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">WITNESS !!         <hr /> <p dir="auto">  <hr /> <p dir="auto"><center><sub>This project is sponsored by <b><span><a href="/@cryptoshots.nft">@cryptoshots.nft<br /> <sub>Browser-based   play-to-earn  <b>3D Shooter on HIVE<sub><br /> <div class="pull-left"> <p dir="auto"><center><b><br /> <sub><a href="https://discord.gg/nBXHAHzcQP" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Discord    <sub><a href="https://twitter.com/cryptoshots_nft" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Twitter  <br /> <p>