Monday, May 16, 2016

AngularJS Template Injection in Spotify Community site

I have found an AngularJS Template Injection vulnerability in the Spotify Community website. I have noticed that the site uses AngularJs when I viewed the page source. The vulnerable part lies within the text format, when you are creating a new post or thread in the forum. Go to the rich text format, enter the URL/link icon and enter an Angular expression like {{1+1}} or {{1==1}} then click the Preview tab. The expression will result to "2" and "true" respectively. The bug was fixed by Spotify security team within 3 days. They have a good response time too. AngularJS Template Injection is very dangerous and can escalate to XSS and RCE if not fixed.