Random iOS app complaints that no one will ever read: Merlin Bird ID app for iOS: XSS error from plaintext entry in Forgot Username/Password input boxes

Tuesday, May 19, 2020

Merlin Bird ID app for iOS: XSS error from plaintext entry in Forgot Username/Password input boxes

iOS 13.4.1
Merlin Bird ID by Cornell Lab (version 1.7.3)
Date: 05/19/20

Description:

There is a cross-site scripting problem with the Merlin Bird ID app from Cornell Lab.

The app has a "Forgot username?" and a "Forgot password?" option at a sign-in screen. There is an XSS error if the user enters in <plaintext> into these input boxes:

Enter in plaintext into either the "Forgot username" or "Forgot password" input boxes...

HTML gets barfed up.

Steps to Reproduce:

1. Download the Merlin Bird ID app for iOS
2. Select "Sign in" from the side bar menu
3. Select either "Forgot Username" or "Forgot Password"
4. Enter in <plaintext>

Result: An XSS error appears after the user enters <plaintext> into either the Forgot Password or Forgot Username input boxes

Expected: No XSS errors!

Random iOS app complaints that no one will ever read

Tuesday, May 19, 2020

Merlin Bird ID app for iOS: XSS error from plaintext entry in Forgot Username/Password input boxes

No comments:

Post a Comment