I’ve discovered a Cross-Site Scripting (XSS) vulnerability at ZeroSSL web app (https://app.zerossl.com) which may lead to:
– session hijacking
– stealing a certificate private key, provided ZeroSSL has generated one
– stealing a user account password hash
I’ve first emailed ZeroSSL about the issue on 4 Jan 2023 in the morning, they got back to me the same day at noon and promised they’ll investigate.
The thing is, if ZeroSSL has generated a private key (they do so in their web app, they also have an ACME API but that’s not affected), the user
can download the key repeatedly from their site. The private key is stored encrypted in the app and is decrypted in the browser before it’s being
Earlier today, I sent a proof-of-concept (PoC) code that demonstrates how to steal a private key for a domain by clicking a link, provided ZeroSSL
has generated the key. After sending the PoC, they have responded this afternoon that they have fixed the XSS but I believe there may be
some more work for them to do.
First, reading Baseline requirements section 18.104.22.168.16 they may need to revoke some certificates because the proof-of-concept consists
of “a demonstrated or proven method that exposes the Subscriber’s Private Key to compromise”.
Second, their users are still one XSS away from losing their private keys as my private-key-stealing PoC still works (you can
paste it to your browser devtools console to simulate an XSS, or find a different XSS if you will).
anyone could write and definitely even better than me.
I’m sending this email to create an informal public record of what happened (I’ve been cc’ing some friends who are also members of this list
so there’s a “private record”, sort of) and would like ZeroSSL to self-report a CA Incident as per https://wiki.mozilla.org/CA/Incident_Dashboard
(emailed them the link and the request to self-report an hour ago).
Seems like this is definitely the most interesting XSS I found so far 🙂 You know, don’t stop at alert(1)…
(For transparency: they offered 500 EUR reward for the bug, thanks!)