Responsible Responsible Disclosure Split Wise Stored XSS

September 24, 2013

Splitwise is a Providence, RI based company that makes it easy to split bills with friends and family and yes i am user of Split wise. Recently, found stored XSS in Split wise add amount module.  This can be used to easily steal the cookies of the our friend as well as make it was possible redirect page to other page, where victim can be trapped easily.

Reported this bug on Aug 21 2013 and fixed on next day :)


Following payload executed successfully

< script >(sessionStorage[!-1]=alert)(!-1) < / s cript>

” > < s ¬†cript> Alert(1)< / script>


Iframe execution demonstration


Thanks for sending me T-shirt and some more security bugs are on the way :)


We Provide Penetration Testing

Leave a Reply

Your email address will not be published. Required fields are marked *


We Provide Penetration Testing