Hello ya'll,
As you may have seen, I created a new Bitcoin Education app. It has a bunch of mini apps as well, including a music streaming platform with a player named 'Bitcoin Beats.' So far, we have 3 songs uploaded to the app. We hope to get more Bitcoin artists and musicians alike to upload their music, so please spread the word! Here is the app: https://btcedu.app/app/bitcoin-beats
You can tip artists with sats directly from the song itself or from inside the artist's profile. You can leave comments on songs (Soundcloud style). And I also built a really fun "DJ" feature where you can broadcast any song that's on the app to our app's Global group chat where users can tune in live. Try it out!
tf is that breh
hey @optimism thx for the report. I am working with some devs who have been helping me fix vulnerabilities, and this is one that was injected as a proof of concept. It's cleaned up now. Thanks for checking out Bitcoin Beats!
'<div style="width:44px;...;">' + ((t.coverArt || t.coverUrl) ? '<img src="' + _safeCover(t.coverUrl || t.coverArt) + '" style="width:100%;height:100%;object-fit:cover;">' : (t.genre === 'podcast' ? '🎙️' : '🎵')) + '</div>'happened with image upload, values are inserted raw inside an HTML string.
resulting in:
<img src="" onerror="alert('beats-update-XSS')" style="width:100%;height:100%;object-fit:cover;">or
<img src="" onerror="alert('beats-XSS-by-ProofOfCash')" style="width:100%;height:100%;object-fit:cover;">it's even branded
ProofOfCashlolI am working with some devs who have been helping me fix vulnerabilities, and this is one that was injected as a proof of concept. It's cleaned up now. Thanks for checking out Bitcoin Beats! @sox
why?
ProofOfCash is one of the white hat hackers nyms haha
Cool.
Try it out! Bitcoin Beats