Hackers can gain full control of a user’s account without the use of malware or phishing with just a few lines of JavaScript, warns bug bounty platform HackerOne.
The vulnerability, known as cross-site scripting (XSS), occurs when a hacker injects malicious script into a webpage viewed by others.
There are three types of XSS vulnerabilities, reflected, stored and DOM-based, the latter of which is the hardest to detect.
The severity of these flaws warrants their categorisation as high risk, according to HackerOne, which highlights that they are often the “hidden key to stealing accounts”.
The company has published a member-only story outlining the dangers of XSS, along with real-world examples and advice on how to counter this threat.