Hi, I've discovered a persistent cross site scripting vulnerability in 160by2 website, a popular site used for sending SMS.
Today, while i'm sending message to one of my friend from 160by2, My Hacker mind started to work (after long time). I insert a script instead of message. Successfully , the message has been sent to the receiver.
The inserted script:
<script>alert("BreakTheSec")</script>
At the same time, 160by2 displayed the message send by me in the Sent Box. Yeah, inserted-script is being executed and displayed the popup.
Whenever i visit the Sent box, the popup is being displayed. In fact, the popup is being displayed in the main page also because of "LAST 5 MESSAGES SUMMARY" section in the home page.
I consider the risk level of this vulnerability as very very low because it only work when you logged in. So, it won't help attackers to target victims.
