XSSI on refer.xoom.com allows stealing email addresses and posting to Twitter on behalf of victim
State Resolved (Closed)
Disclosed publicly 2019-02-07T23:25:32.925Z
Reported To
Weakness Cross-Site Request Forgery (CSRF)
Bounty $3,500
Collapse

Summary by alexbirsan

Due to a cross-origin configuration, the application at refer.xoom.com could be embedded in script tags on other websites. If a malicious site were open in the same browser as refer.xoom.com, the malicious site could see and extract data from the referral page. This included the email addresses being used and, in extreme cases, tokens allowing Xoom access to post on a user’s Twitter. Any Twitter activity was limited, clearly marked as posted by Xoom, and could be mitigated by the user at any time by deauthorizing access. This did not affect any session or financial data and was limited to the referral page.

Timeline
submitted a report to PayPal .
2018-11-27T20:03:11.091Z

Regards,
Frans

  • 0 attachments:
still Activities::BugTriaged
2018-11-27T20:15:39.872Z


space_pp Activities::ReportSeverityUpdated
2019-01-10T20:42:44.360Z


Activities::BountyAwarded
2019-01-10T22:02:22.676Z


alexbirsan Activities::Comment
2019-01-11T11:23:08.149Z


space_pp Activities::BugResolved
2019-01-24T15:52:13.289Z


alexbirsan Activities::AgreedOnGoingPublic
2019-01-24T16:07:09.350Z


space_pp Activities::AgreedOnGoingPublic
2019-02-07T23:25:32.858Z


space_pp Activities::ReportBecamePublic
2019-02-07T23:25:32.946Z