Sunday, October 18, 2009

Shaadi.Com XSS Vulnerability

So I am Bachelor,

Want to search for my soul mate,


I am from India,
So I visited Shaadi.com,

I was searching for my bride and I noticed something in URL,
have a look,



Oops you can not see it, There are some Stupid Rule about Vulnerability Disclosures On Net...........

Now as i saw that** in url parameter my hands started working (cant help.......) and woop, it worked have a look,



Nice one na,

Then I decided to look about what they say about Safety Security & Privacy on there website,


I have nothing to say...............

But now you will say that is it right that i published this on my blog,

so answer is Yes,

Becoz I informed them and I got following reply after 3 days from them, now As per them It is patched but I can still exploit it... God Knows What They Did .........

hmm.......... I think they might have deleted my email to claim that they never got it............... so no need to react......right....hehe it is same like our gov, they just put all the reports in dustbin and claim that they never got it so no need to take any action......... :P

see what i got from customer care on first day,



Ok and this what I got after 3 days,




Update = Tested on 5th Nov. Test was Negative :)

No comments: