Teenage security enthusiast Karim Rahal and Ibram Marzouk discovered multiple cross-site scripting issues in the HTML Comment Box used by millions of sites.
HTML Comment Box Vulnerability Discovered By Teen Hackers
Two teenage computer security hackers amazed the community by discovering a serious cross-site scripting vulnerability. The problem resided in the popular HTML Comment Box that are used in about 2 million web sites. The discovery was posted thanks to Karim Rahal and Ibram Marzouk, both 14 years old students from Lebanon. They reported the flaw through Detectify’s bug bounty program.
The discovered vulnerability allows hackers to insert arbitrary code into the site comments. This results in code execution and exploits of the affected users and their machines. Rahal states that he used Google services to discover that about 2 million web sites use the third-party comment section that he found vulnerable. He stated that he was unable to find out the contact information of the developer until the platform invited him to the Crowdsource program.
Rahal was able to bypass the cross-site scripting filters using ordinary tags. As soon as the issue was reported the developers of the HTML comment box plugin patched the bug.
The affected plugin is simply called HTML Comment Box. Here is a short description of it:
HTML Comment Box (HCB) is a website comments solution. As a widget, it can be pasted directly into your website’s html. The comment box script provides an easy way for web designers & developers to put a simple comment box on their web page in order to receive comments from visitors. Comments are currently accepted “anonymously”, meaning anyone can leave a comment on your page. However, you can delete any undesirable comments you receive by becoming a moderator.
The young security team was applauded by the security researchers and the administrators community. We also would like to remind our readers that enthusiasts like them have been at the forefront of critical bug discovery. Over the years we have seen many examples of bright and talented young researchers who have been able to discover dangerous exploits.