A group of dating sites that use a similar code base are vulnerable to a serious XSS issue which exists in the user-to-user messaging facility. The vulnerability allows an attacker to send a specially crafted message to a victim. The victim’s browser will, upon opening the message (without further user intervention), execute arbitrary JavaScript code. The impact of this vulnerability is severe, especially because it occurs on a dating site, where stalkers or other malicious individuals can exploit it to do real harm to targets. Due to this risk, the existence of this vulnerability is being exposed immediately (without technical details) as a public service.
The following sites, which run on the same (possibly proprietary) framework are confirmed to be vulnerable:
- altscene.com
- girlgamerdating.com
- bbwadmire.com
- helahel.com
- russianadmire.com
- asianadmire.com
- matureattraction.com
The sites appear to be carbon copies of each other, but intended for different niches. I have made numerous attempts to contact the owner of these sites (all are owned by the same person or organization) with little success. Stay safe, awoo~