Search This Blog

Powered by Blogger.

Blog Archive

Labels

Persistent XSS Vulnerability in 160By2


Hi, I've discovered a persistent cross site scripting vulnerability in 160by2 website, a popular site used for sending SMS.

Today, while i'm sending message to one of my friend from 160by2, My Hacker mind started to work (after long time).  I insert a script instead of message. Successfully , the message has been sent to the receiver.

 The inserted script:
     <script>alert("BreakTheSec")</script>


At the same time, 160by2 displayed the message send by me in the Sent Box.  Yeah, inserted-script is being executed and displayed the popup. 

Whenever i visit the Sent box, the popup is being displayed. In fact, the popup is being displayed in the main page also because of "LAST 5 MESSAGES SUMMARY" section in the home page.

I consider the risk level of this vulnerability as very very low because it only work when you logged in.  So, it won't help attackers to target victims.
Share it:

BreakTheSec

Vulnerability

XSS Vulnerability