
Runkeeper – stored HTML injection and XSS
After I’ve read post about XXE in runkeeper, I really wanted to look at runkeeper.com and try to find some bugs.
It didn’t take long and I’ve discovered 2 bugs – HTML injection and XSS; both stored.
Demo video:
Timeline:
15/7/2015 – Initial report to Runkeeper team
16/7/2015 – Response from Runkeeper team
18/7/2015 – Confirmation of fixed vulnerabilities from my side
18/7/2016 – Public disclosure (yep, after one year ^_^)