Hive App subject to multiple security vulnerabilities

_{_{This article is optimized for Desktop browsers and Peakd}}

_{Image AI-generated by Hive account@karina.gpt in the Crypto Shots server}

I recently volunteered to test a Hive Dapp (that won't be named at the very least until all the flagged issues are resolved).

Please find below my findings.

Use these to ensure that your own Hive frontend has protections in place for things like these.

Don't know how?

Stay tuned for my guide on how to build Secure Hive Applications !
It should be out around mid-July with links to a test repo.

1- Stored XSS (Cross-Site-Scripting)

Missing sanitization for SVG files.
The following snippet was able to trigger the code execution every time the page was visited:

<div>    
    <svg width="200px" height="200px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
        <script type="text/ecmascript">
          alert(1)
        </script>
        <circle cx="100" cy="100" r="80" fill="green"></circle>
    </svg>
</div>

To learn more about XSS vulnerabilities see:
https://owasp.org/www-community/attacks/xss

2- Open Redirect

Triggered a redirect: <meta http-equiv="refresh" content="0;URL=https://google.com">
Did not execute: <meta http-equiv="refresh" content="0;URL=javascript:alert()">

To learn more about malicious redirect see:
https://learn.snyk.io/lesson/open-redirect

Exploit:

This can be used to redirect to a page very similar to yours and it could prompt you to start any operations (eg. transfer) from your Hive Keychain masking it as a simple login.

3- Pinata Gateway token leak

This is what gets generated for all image uploads...

![](https://ipfs.VULNERABLE_DAPP.app/ipfs/QmaGDjdgPQcgpKUTEE9kD4YW9QLmLsodfQADhy51E65d46?pinataGatewayToken=nxHS...eXWH-gXCY....OOPS....XyFE)

Note the ?pinataGatewayToken URL parameter.

Impact:

Unauthorized Access:

If someone gains access to your Pinata gateway token, they can use it to interact with your IPFS content. This could lead to unauthorized modifications, deletions, or other actions on your data.
It’s crucial to keep your gateway tokens secure and avoid sharing them publicly.

Performance Issues:

Public IPFS gateways, including Pinata’s public gateway, have rate limits and can be slower due to heavy usage by users worldwide.
When you use a public gateway frequently, you might experience slower loading times for your content.
Pinata recommends using public gateways only for testing purposes, not production apps.

_{Less critical ones...}

4- Clickjacking

An attacker can simply embed full-screen your website as is and display an overlay with invisible fields on top of the real login fields, in order to steal users' credentials.

Or they could show an overlay with an amazing offer to subscribe to your services with a huge discount by paying with a credit card or sending funds to the attacker's account.

To learn more about clickjacking:
https://owasp.org/www-community/attacks/Clickjacking

5- Reverse Tabnabbing:

<a href="https://peakd.com" target="_blank">test</a>

None of the external links have rel=“noopener noreferrer” to protect from it.

To learn more about reverse tabnabbing:
https://owasp.org/www-community/attacks/Reverse_Tabnabbing

That's all folks.
Stay tuned for my guide on Securing your Hive Apps!

_{My security disclosures for Hive:}
_{- _{XSS vulnerabilities in #########.com}}
_{- _{XSS vulnerabilities in hive-db.com}

- _{XSS vulnerabilities in scribe.hivekings.com}

- _{XSS vulnerabilities in hiveblockexplorer.com}

- _{Malicious ads redirecting all Steemit iOS users to a phishing site}

- _{Reverse tabnabbing and clickjacking in steem.chat and steeemit registration page}}

_{Other contributions:}
_{- _{Universal script to prevent phishing in all Hive frontends}}
_{- _{Commands for community reports and ban/mute lists}} _{Future development: _plan} _{Last report: _{https://peakd.com/@keys-defender/monthly-report-june-july-august-2021-hive-13323}}

Keys-Defender features:

- _{Keys protection_{[live scan of transfers/posts/comments/other_ops.
Warnings (reply and memo), auto-transfers to savings until fully restored, auto-reset of keys, ..] {see automatic posts on leak and monthly reports}}}
- _{Phishing protection
_{[live scan of comments and posts to warn users against known phishing campaigns and compromised domains or accounts, scan of memos and auto-replies, anti phishing countermeasures - eg. fake credentials]}}
- _{Re-posting detection
_{[mitigates the issue of re-posters]}}
- _{Code injection detection
_{[live scan of blocks for malicious code targeting dapps of the Hive ecosystem]}}
- _{Anti abuse efforts
_{[counteracts spam from hive haters and milking campaigns]}}