Vulnerabilities in RunKeeper website could allow hackers to run XSS worm

A security researcher David Sopas has discovered a Cross site scripting and Cross Site Request Forgery(CSRF) vulnerabilities in the RunKeeper website, official site of popular GPS fitness-tracking application.

The POST request in the "Account Setting" page failed to use security token to validate the request results in CSRF vulnerability.  It could allowed cybercriminals to modify information of an authenticated user by tricking them into clicking a crafted link that will send a malicious request.

The Persistent XSS vulnerability on user Account Settings and on the profile page poses a potential security risk.  The cybercriminals could have launched a malicious cyber attack and infect millions of users.


Creating Hybrid attack that take advantage of XSS and CSRF vulnerabilities results in hijacking user profile. Hackers also could have modified POC little bit and run an XSS worm.

Runkeeper fixed these security issues immediately after got a notification from Sopas.

Sharecash vulnerable to Persistent Cross Site Scripting vulnerability

Security Researcher, Rafay Baloch, the founder of Rafay Hacking Articles,  has discovered a Cross Site scripting (XSS) Vulnerability in ShareCash website(sharecash.org). ShareCash is the highest paying Pay-Per-Download network around.

The vulnerability affects the  "Manage Widget" page of ShareCash.  The XSS vulnerability found to be stored one.

Stored XSS Vulnerability

Stored XSS is critical one since the script is being stored on the server and is being executed every time user visits the affected page.

In an Email Sent to EHN, Researcher provided the screenshot of the Proof-of-concept.  From the POC, I come to know that the "Widget Name" is vulnerable to xss attack.  It seems like the developer fails to validate the input.

Rafay claimed that he sent more than 10 emails to share cash to notify them about the vulnerability, but they failed to respond.

Stored XSS vulnerability in Tumblr can be used for Phishing and Malware attack

tumblr stored xss

Recently we reported that the reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability was discovered by a security researcher Janne Ahlberg. Janne says the vulnerability is not yet fixed.

According to his research, It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post).

The vulnerability can be used for launching phishing attacks.  For instance,it would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Attacker could push malicious files from his/her server to Tumblr users.

"Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts."Researcher described one possible attack scenario.

"Once the 'attack blog' would have enough followers, attacker could create a malicious post again with carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start."

Tumblr worm spread due to unfixed Stored XSS vulnerability


tumblr worm xss

The day after Tumblr was hit by a "worm" that left many Tumblr websites defaced with an identical message by Internet troll group GNAA, a security researcher has confirmed there is Stored Cross site scripting vulnerability in Tumblr that allowed attackers to hack Tumblr.

According to Naked Security report, the worm appears to took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page.

According to some news report, the hackers behind the attack has warned Tumblr weeks ago about a vulnerability. But there is no response from Tumblr.

Tumblr XSS hack
Janne Ahlberg confirmed XSS vulnerability


"I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid." Security researcher Janne Ahlberg confirmed the xss flaw in his blog post.

"A new Tumblr worm could still be possible. See analysis by @JanneFI: http://janne.is/testing-tumblr-worm-root-cause/ … Good example on how XSS vulns are not harmless." Mikko Hypp√∂nen, CRO at F-Secure tweet reads.

*Update* Tumblr is still vulnerable to stored-XSS Read the updated post here