What's the most malicious thing you can do with an injected HTML heading element? https://shkspr.mobi/blog/2022/08/whats-the-most-malicious-thing-you-can-do-with-an-injected-html-heading-element/
-
What's the most malicious thing you can do with an injected HTML heading element? https://shkspr.mobi/blog/2022/08/whats-the-most-malicious-thing-you-can-do-with-an-injected-html-heading-element/
-
One year later and @ACM still haven't fixed this issue with their website.
-
@Edent I don’t blame them - if the worst you can do is put a naughty image in there, then there’s no benefit to fixing it. This isn’t a security issue as far as I can see, either.
I get nice people from India occasionally connecting me saying this sort of thing is a massive security flaw - I patch them but only give a notional payment as thanks; no chance of even stealing credentials like this.
-
@james I understand you position. But, at the same time, if the **ACM** can't be bothered to fix a bug on their website, it doesn't say much for their position in our industry.
(And, FWIW, I never send "Beg Bounty" emails.)