TechEcho

This might look really funny, but consider this: The javascript you are executing there runs on the github domain. So it can do whatever you can do by manually clicking.The injected script could for example submit a new SSH public key for your account (doesn't require your password again). Or just be funny and delete repos. Or just upgrading your account to a bigger, more expensive plan.Or they could get a list of your private repositories. Combine that with the upload of a new private key and you'll get free access to proprietary code of any account.Aside of fixing the XSS issue, they really should ask for the password again when uploading a public key.

Seems to be fixed now.Quick work by the github guys, kudos.For those who missed it, the title attribute inside commit messages in the file list wasn't HTML encoded.

Didn't work for me. Then I remembered to tell noscript to enable js. Does anyone still need convincing that they should be using noscript?

Something @chrislloyd and I found in Github. Nothing too serious!

Not working for me. Is it fixed? I can see only JavaScript. IE8 on Windows XP.

Seems to be fixed now.Quick work by the github guys, kudos.For those who missed it, the title attribute inside commit messages in the file list wasn't HTML encoded.

Didn't work for me. Then I remembered to tell noscript to enable js. Does anyone still need convincing that they should be using noscript?

Something @chrislloyd and I found in Github. Nothing too serious!

Not working for me. Is it fixed? I can see only JavaScript. IE8 on Windows XP.

XSS vulnerability found in Github

5 comments

XSS vulnerability found in Github

5 comments