Reporting 3 Bugs in Steemit - severity: high, med, low

in #steemit-issues7 years ago (edited)

Bug 1:

Links opened in a new tab - #security #xss

These links in the menu section use the infamous   target="_blank"   attribute:

  • Blocktrades
  • GOPAX
  • The Steemit Shop
  • Steem Chat
  • Jobs at Steemit
  • Apps Built on Steem
  • Steemit API Docs
  • Steem Bluepaper
  • SMT Whitepaper
  • Steem Whitepaper
  • About

Same for the "Markdown Styling Guide" link in the top right corner of the preview box that appears when the user drafts a new post.

What's the issue with that?

In a nutshell if the third party site is compromised the attacker can perform a phising attack on the steemit webpage from which the link was opened.

The solution consists in using a temporary iframe to open the new tab from. (Note: simply adding rel="noopener noreferrer" to the link is not a valid fix for all browsers - eg. Safari)

For more details see HERE and HERE.


Bug 2:

Post tags - #bug

Removing tags from a post is buggy.

SEE THIS POST for more details and STEPS TO REPRODUCE the bug


Bug 3:

Custom links - #veryminorbug

An a html tag with a href without any value (no string assigned and no equal symbol) is eventually rendered as:
bug steemit.png

(See example in my post here where I was playing with markdown and XSS testing)

#steem-issues #steem #steemit #steemhelp
7 years ago in #steemit-issues by
$0.00
    6 votes
    Reply 1
    Sort:  
  • Trending
    • [-]
     7 years ago 

    @therealwolf 's created platform smartsteem scammed my post this morning (mothersday) that was supposed to be for an Abused Childrens Charity. Dude literally stole from abused children that don't have mothers ... on mothersday.

    https://steemit.com/steemit/@prometheusrisen/beware-of-smartsteem-scam

    Coin Marketplace

    STEEM 0.13
    TRX 0.24
    JST 0.032
    BTC 83581.18
    ETH 2065.09
    USDT 1.00
    SBD 0.63