Multiple XSS in Copy.com

Copy.com is a Barracuda Networks file sharing service, which offers 15GB of a free cloud storage for your files.

When I first read about Copy.com I almost immediately registered for an account. 15GB of a free storage was very tempting. Few moments later I started reporting vulnerabilities.

1. Company settings page – “Company Name” and “Directory Name” did not escape quote sign, which allowed an injection like:

" onclick=alert(document.cookie) x="

2. Profile settings page – “Verify” and “Remove” e-mail functions were vulnerable to a XSS via the URL. After clicking the injected word an alert box popped up.

3. Billing settings page – “Name on Card” and all “Address” fields did not escape quote sign, which again allowed an injection like:

" onclick=alert('http://lubi.cz') "


Timeline:

[May 16th 2013] - bugs #1 & #2 were reported
[May 17th 2013] - bug #2 was fixed
[June 19th 2013] - second contact, because bug #1 was not fixed. Bug was fixed soon after.
[June 25th 2013] - bug #3 was reported
[July 10th 2013] - bug #3 was fixed

I would like to thank Zack, Tom and Brian for a flawless work with a bug fixing procedures.

If you would like to receive a free 20 GB (15+5GB) of a free cloud storage, please use this link, which will give us both an additional 5GB bonus space (client installation is needed). Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *