Codeforces Parsing CSS -> Potential security issue?

Revision en2, by 60SecondsInAfrica, 2020-09-09 21:22:22

Dear Codeforces community. recently, kostia244 found out that codeforces parses custom CSS & HTML in this comment: https://codeforces.com/blog/entry/82468?#comment-693536

This could potentially be exploited by putting a malicious URL to steal a user's cookies and login sessions. Obviously making a PoC would be illegal but I would like to discuss whether or not that's even possible, and if so notify the admins to fix.

This is could be dangerous, this text is not even a part of the image

https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense

History

 
 
 
 
Revisions
 
 
  Rev. Lang. By When Δ Comment
en2 English 60SecondsInAfrica 2020-09-09 21:22:22 82
en1 English 60SecondsInAfrica 2020-09-09 21:16:21 751 Initial revision (published)