A few days ago, the user @gaottantacinque brought a cross site scripting bug to my attention. This one, which was found there, was already fixed by the site operator @penguinpablo. But I did a little more research and found another XSS vulnerability on the site. The stored XSS vulnerability I found is at least as dangerous as the one fixed before.
With the vulnerability I found, the operator simply has to use the same method of outputting code that he has already fixed before, just in a different location. Other parameters - HTML data that can be stored in the block chain in the profile should not be rendered in a frontend to protect the security of the user.
I have already sent a message to the developer and pointed out where the vulnerability is on the page.
The same problem exists on the page for the Steem Blockchain. So the older tool Steemblockexplorer.
Unfortunately this is not the first critical vulnerability I have found in applications around Hive / Steem. In the past I have found many such vulnerabilities and have reported them to the developers of the project. And here is my request to you project developers: Please check your frontends for XSS! Since in most cases money is involved, such critical and easy to solve security holes do not belong here.
Thanks
~louis