Skip to main content


Showing posts from October, 2013

Dangerous Persistent XSS at [FIX], is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .


I found a Flash XSS at AT&T main domain where an attacker could stealing credentials of users. Vuln URL: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// &source= Payload: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// Flash Vuln Code: public function videoPlayer_completeHandler(_arg1:VideoEvent):void{ if (ExternalInterface.available){, ExternalInterface.objectID); } else { trace("JSAM_VideoPlayer cannot call completeHandler because ExternalInterface is not available."); }; } Proof: After 2 months AT&T Response: I hope to be on the top 10 Award :)