We used chatbot code from IBM, and it was instantly vulnerable to XSS attacks

We used chatbot code from IBM, and it was instantly vulnerable to XSS attacks(github.com)

3 points by ftreml 5 years ago | 3 comments

lumpa 5 years ago |

The repo reads like research code, and indeed seems to be an article's companion code plus platform example code. The code in question was committed in 2018 and never touched again.

That's no excuse, it pretty literally does "innerhtml = user_input" and it's awful. But it's not a flagship chatbot library from what I see, which probably lessens the impact of such awfulness.

ftreml 5 years ago | |

partially agree. In another repo, the same vulnerability was only fixed after years ...

https://github.com/watson-developer-cloud/assistant-simple/c...

ftreml 5 years ago |

I wrote about security threats for chatbots

https://floriantreml.medium.com/security-threats-and-securit...