Another XSS on SoundCloud

Evening bugging on Facebook led to the Soundcloud service. We investigated the possibility of XSS vulnerabilities when sharing tracks to Facebook feed. After several unsuccessful attempts, I wanted to check out Soundcloud itself. During the first 5 minutes, a useless, so-called self-xss was discovered - when adding a new tag, you can send a script. When you hover on this tag cursor was executed code. A little later, I found two videos on youtube.com, where grief Bag Hunters laid it out as something critical (one even called the video as “Soundcloud Xss epic fail”). Continuing their entertainment, connected the second character, because if there is an attacker, there must be a victim.

Filled a new track, filled all the fields with different variations of XSS injections and sent the track to the victim. The victim opened the track with very strange tags in the names and descriptions, but still listened - it turned out well, in some places there was not enough mastering. What, in fact, the victim and decided to inform the author by sending a constructive comment.

At this time, the author continued to search for places where you can transfer scripts in the information output fields to the screen. Once again, having overloaded the page, the attacker noticed the notification that arrived. Clicking on the bell, the pop-up with a history of notifications gave the eye a window full screen - Bingo! Having done a little research, it turned out that the script spelled out in the title of the track is performed by pop-up with notifications, if one of them deals with an infected composition. So everything is simple, as, indeed, always.
')
How can this be used? The attacker puts another hit. Suppose 100 people wrote enthusiastic comments to him. Further, the attacker adds the “necessary” script to the track name and responds with a counter comment to each user. Over time, all users see a notification in themselves, saying that an answer was written to your comment, but as soon as it opened the pop-up with notifications, in order to find out about it, the code will be immediately executed. Cookies merged, put new likes, reposts, new comments - who has enough imagination.

After a brief search on the site, I did not find a special place where I could report on the problem, so I decided to use the standard feedback page. Sending a message, a few hours later decided to double-check the availability of specials. pages for bugreports - and did find it . Zreprepil again.

A day later I received a message that the bug had already been reported to me. I tried to find out who and when, it turned out, judging by the calculations, the bug was reported about 10 hours earlier. Like it or not, it will remain a mystery.

Here it is, strange-synchronous bughunting.