WingNews logo WingNews
top | item 39394546

(no title)

hackideiomat | 2 years ago

Ha, exactly! They rarely fix bugs.

E.g., XSS / HTML injection in summarizer or discuss document. Or their broken CSP which allows injecting forms to e.g., change settings.

They haven't fixed many reported issues in a while, and just to prove I'm not lying: https://kagi.com/discussdoc?url=https%3A%2F%2Fkagi.com%2Fcha...

discuss

order

tmikaeld|2 years ago

While it doesn't look good, it doesn't inject or execute scripts.

Still, would have liked an official take on this. I was about to re-signup but now I'll hold off on that.

hackideiomat|2 years ago

Oh yes because of the CSP. The CSP that allows forms that can change your settings... you could easily use the above bug to get some impact with an additional click on a form's submit button.

Admittedly, no full XSS anymore, but still dangerous and shows their lack of understanding and caring about security.

It's not the only place you can inject HTML and not every page has a CSP...