[FIXED] XSS vulnerability found in hivekings.com block explorer


Image Source

It's another day and I have found a security vulnerability on another Hive block explorer!

Dang, I wonder how vulnurable our block explorers are as @gaottantacinque have found the same vulnerabilities in not one, but two different Hive block explorers in the past 3 months.

This is the third one, that is currently owned by one of the top 30 witnesses.

Screenshot 20210102 at 4.27.08 PM copy.png

I have stored this harmless attack in a Hive transaction. For those who want to check it out the ID is:

7cdcfc37aa0ecac7e62b16ee8b31242f5ad0fe18

For those who do not know what this is, XSS is a severe security vulnerability present on websites, that allows an attacker to inject malicious code in unsanitized fields that get executed in browsers such as:

  • Redirecting users to a phishing site
  • Stealing credentials stored in the website
  • Keylogging everything entered within the site
  • Cryptojacking

The maintainer has been notified about this vulnerability and will update here once it is fixed.


UPDATE: This issue has been fixed timely. The block explorer in question was hivekings.com, so for those who are using it please perform a hard refresh by doing a Ctrl+Shift+R (or ⌘+Shift+R on macOS), or clear your browser cache.

You may verify the fix here: https://hivekings.com/explorer/?tx=7cdcfc37aa0ecac7e62b16ee8b31242f5ad0fe18 (notice that the code no longer executes).

Hive witness footer 2.png

2 Comments