Update 2[September 19 19:12] Microsoft has responded to Naik saying that the vulnerability cannot be used to extract authentication data of other users by sending them the Pushpin links as the data is sanitized before it is sent. The thing that surprises us is that Microsoft doesn’t sanitize user input while creation of Pushpins, but it does them while it is shared?
Update 1[September 19 18:45] Naik has revealed to us that he was indeed the discoverer of the vulnerability. According to Naik he did contact Microsoft. We have asked him whether Microsoft respond to his claims and we are awaiting a reply from him in this regards. Naik hasn’t tested the flaw extensively and as of now only claims that it is working on Firefox 23.0.1
A security researcher, Bhavesh Naik, has discovered cross site scripting (XSS) vulnerability on Bing maps and from the looks of it the vulnerability is both reflective as well as persistent.
Tested on Firefox 23.0.1, the vulnerability doesn’t take a whole lot to be exploited. A user would first be required to login using his Hotmail, Live or Outlook credentials. Then, the user would need to create a new list under My Places option on Bing Maps. As per the steps listed, a simple script has to be inserted while creating a new list under title and notes. The same script is then to be used while creating a Pushpin.
Once created the user needs to hover over “yellow dot with a number on the map” notes the researcher. The XSS dialog box also pops up if a user will hover the mouse pointer over the just created place under My Place editor.
Considering the case that the XSS was active through an object created and saved by the user, chances are that this flaw can be used to extract authentication data of users if the particular Pushpin is shared through an email or some other means making it a persistent XSS flaw.
We have contacted the researcher who reported the XSS vulnerability on full disclosure mailing list and awaiting a response.