Categories > WeAreDevs > Suggestions >

Global Chat Bug

Cyros

Revision

Posts: 1060

Threads: 49

Joined: Feb, 2021

Reputation: 20

Posted

Level: Low

 

Type this in chat;

<p><img src="/images/avatars/75495_1663371931322.png" alt="abcdefg"/></p>

 

Will show picture, ONLY CLIENT SIDED.

This could be used to an advantage to get the _WRDSec Cookie to access accounts

 

also add emojis

  • 0

We Hate VOID

Medusa

WeAreTruth

vip

Posts: 148

Threads: 17

Joined: Jul, 2022

Reputation: -29

Replied

this thread is a lie, this is not a bug let me pull cookies in peice

  • 0

https://media.discordapp.net/attachments/1064332722065117204/1067596913781784606/Frame_2_1.png

Xero

admin

Posts: 975

Threads: 34

Joined: Dec, 2016

Reputation: 108

Replied

1. _WRDSec is HTTP only and can't be grabbed from Javascript. There is no security concern in regards to accessing another account.

2. <script> tags are rejected, so you can't run scripts anyway.

3. The HTML only injects for yourself. It doesn't affect others viewing the chat.

 

So no security concern in general, but is definitely a bug. I've fixed it and thank you for the report!

  • 0

https://cdn.wearedevs.net/images/icons/youtube.png Coding Tutorials  https://i.imgur.com/z8bRyw3.png Blog

Users viewing this thread:

( Members: 0, Guests: 1, Total: 1 )