NBB-2292

Description

The Naver is a major Korean Company. The vibe.naver.com was very vulnerable to Dom Based XSS via Open Redirect. However, the full exploit had to leak the victim’s splReservSeq value, which could be stolen through the referrer header. I reported this vulnerability in 22 Feb 2022, and it was patched in 7 Mar, 2022.


Reporting Timeline

  • 2022-02-12 03h 18m : Reported this issue via the Naver Bug Bounty
  • 2022-02-14 09h 39m : Request status changed to 1st review
  • 2022-02-15 16h 30m : Request status changed to 2nd review
  • 2022-03-08 09h 20m : Request status changed to Reward
  • 2022-03-22 14h 45m : Request status changed to Waiting for customer
  • 2022-03-25 12h 08m : Request status changed to Reward In Process
  • 2022-03-31 10h 59m : Request status changed to Complete

Security Report