“Unfiltered Talk” — How Target Chatbot Let Me Redecorate Their Website

The author encountered a chatbot on Target’s website that did not sanitise or filter user input, enabling the author to post HTML code that was rendered in the chatbot window and even on parts of the webpage.
The author highlights the potential malicious use of this vulnerability, such as injecting fake messages to steal credit card information, redirecting users to phishing websites, and dropping malicious code that appears to be part of the legitimate website.
The author emphasises that chatbots should not behave like web editors and should sanitize all user input to prevent potential security vulnerabilities.
This is an example of unsafe HTML injection, where an attacker can inject malicious HTML code into a web page, which is then rendered by the user’s browser.
This vulnerability not only risks the user’s browsing experience and privacy but also potentially the reputation of the compromised website and the trust of its users.
This issue highlights the importance of secure coding practices and the consequences of failing to sanitise user input, emphasizing the potential risks to both users and websites.

Fast Feed