DuckDuckGo XSS vulnerability(twitter.com) |
DuckDuckGo XSS vulnerability(twitter.com) |
Edit: If you click submit on the VPN form you get "This could have been a phishing page." so it's definitely the attacker's form, that's crazy.
There isn't anything you can do to spot this. This is on DuckDuckGo to fix and they not responding to the report for such long time is irresponsible and not really excusable.
It looks like tranquil-bit.surge.sh redirects to http://tranquil-bit.surge.sh/vpn so maybe DDG are somehow setting the URL to whatever the u= param redirects to?
"Reported in March 2017, emailed them 9 times about the issue since then. Still unfixed as of now."
It's not as simple as just shutting down the open proxy because we need an open proxy to adequately protect users' privacy on our site, e.g. for image search. It just needs to be more locked down and more obvious it is a proxy, which we are doing right now (half done already -- CSP rolled out fully, new domains in process).
No fancy quick-result box, but fast as lightning.
Adding to Firefox is easy via https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-ht...
Could you comment on the "Reported in March 2017, emailed them 9 times about the issue since then. Still unfixed as of now." claim, as it seems imperative to the discussion?
Is there something that can be improved here? Perhaps that inbox not as actively monitored as it could be?
It's not as simple as just shutting down the open proxy because we need an open proxy to adequately protect users' privacy on our site. It just needs to be more locked down and more obvious it is a proxy, which we are doing right now (half done already).