A security researcher, Rafay Baloch, has discovered Cross site scripting vulnerability in the StumbleUpon , One of the famous social bookmarking website with alexa rank of 149.
"Few days before, while i was hunting for vulnerabilities inside stumbleupon.com," Rafay said in his blog post. "Fiddler helped me obtain a non persistent XSS vulnerability inside stumbleupon"
He send notification about the vulnerability to StumbleUpon, however there is no response from other side.
"For security reasons i cannot disclose the URL and parameters for the injection, I hope stumbleupon fixes the vulnerability pretty soon." researcher said.
At the time of writing, the vulnerability is not patched and we are able to exploit the vulnerability. In fact, i inject a redirection code that successfully redirects me to the given url. So , an attacker can exploit this vulnerability for launching social engineering attack and redirect user to malicious site. Also it is possible to hijack session that allows attacker to take control of your stumble upon account.
Few days back, Rafay also discovered a redirection vulnerability in Facebook.