There’s nothing you can do to change this. That’s obviously a pretty serious issue but Chariton does have some advice for the developers. So, to get pulses racing, he launched an XSS attack instead.Īs shown in the image below, Cross-Site Scripting (XSS) attacks allow for potentially malicious scripts to be injected into other web applications. The researcher says that while he could’ve changed any other information in the Popcorm Time application, that wouldn’t be “exactly much fun”.
#POPCORN TIME SE MOVIE#
The third mistake is that they make the previous two mistakes in a NodeJS application.”Īs shown in the image below, Chariton says he was able to perform a “content spoofing” attack, in which he gave the movie Hot Pursuit the title of “Hello World” instead. That means, there are no checks in place to ensure the validity of the data received. “The second mistake is that there is no input sanitization whatsoever. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” “First of all, the request to Cloudflare is initiated over plain HTTP. The exploit is based upon a few key factors being in place
Chariton says that a fork of the Popcorn Time app is entirely susceptible to a malicious ‘man-in-the-middle’ attack, that would essentially provide an attacker with entire control over a vulnerable machine.
0 kommentar(er)
