Sunday, 18 March 2018

Shania Twain has NOTHING to do with Creme (+ XSS Security Hole in "checkout" Subdomains)

This is more BS from Creme. This time, they pretend that Shania Twain created it. There are the usual red flags (the "Entertainment Today" layout, the "free trial" offers, and the fake comments); the formatting used for the "trial" and the "comments" seems to have been butchered, and they forgot the IFRAME redirect. However, I just went into the "checkout" subdomain and discover it manually. I also discovered an XSS security hole in their "checkout" subdomains (I originally found it on a fake Vogue article that pretended that Melania Trump created Creme, which has since been taken down, but it works on every one of their sites that has a "checkout" subdomain). This has easily-exploitable results; the only things that DON'T work with it are "script" and "iframe src" tags (which are automatically emptied). Here is an example, with a wall of goatse replacing the aforementioned Shania Twain article. Once again, avoid Creme, and if the scammers are reading this, they should fix the security hole.

UPDATE: They actually set up the redirect (using the traditional methods instead of the fancy IFrame), and changed the fake news to advertise Pink Diamond. The security hole is still there.

No comments:

Post a Comment