Introduction

I was busy playing my favorite game when a notification update from NVidia pops up. But before I get to update the software, it requires me to have an account so I registered via web.

Out of curiosity, I tried to use XSS payloads for the name, but it was filtered and I eventually gave up. Going back to the main cause of my frustration, I opened the NVidia desktop app (GeForce Experience) to update it but then I noticed that you can create an account through the app.

With that thought in mind…. I managed to inject the XSS in their web app.

Vulnerability: Cross-site Scripting (XSS)

Payload: ‘”><svg/onload=alert(/XSSed!/)>

Proof of Concept (POC):

1. Run your GeForce Experience desktop application.
2. Click on “Login with NVidia” and “Create account”.
3. Fill out the “Display Name” field with the payload and click on “Register”.

Once registered, confirm your email address and login.

The payload will be triggered after a successful login.


Timeline:

Dec 13, 2016 at 2:18 AM – Reported (auto-reply received)
Feb 9, 2017, 3:02 PM – Issue still exists. Report follow up.
Feb 11, 2017 at 6:13 AM – Response received.
“ Thanks for the reach out – I re-sent this to the web team to look at. – Lisa ”
Feb 16, 2017 at 11:57 AM – Follow up again.

They have not responded for more than 90 days, but the issue has been fixed.


No acknowledgement received.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.