62

Talking to Best Buy customer support live chat trying to price match using friend’s laptop.

Typed in “<b>Hello</b>”

Oh cool.. it comes out as bold. Let’s get a scary as fuck screamer gif and img src it.

Me: *Posts picture*
Me: *Waits a few seconds*

Me: “Did you see that picture?”
Support: “No. Sir, could you tell me the item you want to price match?”
Me: “Okay hold on.”

Typed in “<script type=‘text/javascript’>window.alert(‘OOGA BOOGA BITCH’);</script>”

Me: “Did you see that?”
Friend: “Dude stop.”

I push my friend away since I’m on his Best Buy account.

Me: “Did you see a pop up?”
Support: “No.”
Me: “Okay okay hold on.”

You have left the chat.

Comments
  • 5
    why did you leave?
  • 17
    Wait... I can JavaScript best buy guy ..

    function openInNewTab(url) { var win = window.open(url, 'http://www.randomsexsounds.com'); win.focus(); }
  • 4
    Client may run it. But doesn't mean it gets transmitted that way.
  • 2
    @GlabbichRulz I imagine he was kicked off, lol
  • 3
    How can an attack like xss affect the host and or someone else in the domain?
    Afaik it should be doing that only on the client side.
  • 1
    @gitpull it can, you have seperate input/output fields. So if you enter a script via chat and it is parsed into output as a node instead of text the browser will execute it directly. The webdeveloper tools of your browser should be able to recreate this for you
  • 1
    Support usually has a different tool for displaying their messages, they don't use the same frontend. So chances are that there is some injection protection along the way.
  • 1
    Haha. Great
  • 1
    @Lobidu you would hope, I know a few that don't sanitise input.
  • 1
    @seraphimsystems Thats why I said "chances are" ;)
Add Comment