Posted Thursday, July 13 at 12:14 PM (a year ago)
There is a known XSS exploit in webmention.js 0.5.4 and earlier. If you are running webmention.js on your site, please update to the latest version!
Many thanks to @tyage for reporting this vulnerability (and @psmoros for facilitating the report, as well as running huntr.dev which looks like a great security research and reporting platform).
Posted Wednesday, October 30 at 7:11 PM (5 years ago)
So, both Publ and Authl had a pretty naïve issue with the identity verification step of the IndieAuth flow; it simply accepted whatever the authorization endpoint said the user’s identity was. This made it very simple to spoof one’s identity and log in as anyone on any Publ or Authl site.
Authl 0.3.1 fixes the problem with the IndieAuth login flow, and Publ 0.5.8 fixes the problem with the Bearer token flow.
Posted Friday, September 6 at 5:27 PM (5 years ago)
So hey, if you’ve been using webmention.js you should probably update it, as there turned out to be an XSS issue found by Checkmention. Better to be safe than sorry etc. etc.