Waste less time on Facebook — follow Brilliant.

Brilliant and security holes?

First off, I'm going to be honest and say I'm not one of those brilliant Brilliant users (probably bottom 10%). I am new to JS, webdesign, html, php, JQ, and all the noob basics. To me, Brilliant is one of those giant imperialist CSS tanks that are flawless. I see you people out there making all sorts of witchcraft and inventing calculus. However, I've searched the archived posts and see none regarding this issue, if it even is an issue.

So I've sent a message to Brilliant support asking about this issue about a month ago without anybody answering. I waited a month to see if anybody would bring it up and embarrass themselves. I've got to be delicate here; I could just be making a fuss about nothing because there's no doubt that the staff here knows what they're doing, yet I still want to know if certain fields on the website (search bar and problem headings) are open to rudimentary non-persistent or reflected cross site scripting (XSS). It may even be open to persistent, but I scanned the terms and agreements and it would be impossible to check for that or SQL injections without violating my legal agreement. Another reason I'm reluctant to bring this up out in the open is because some other users might recognize that a form is open and put their malicious JS to potentially steal cookies, variables, phish, log keystrokes, redirect (dangerous), or forge requests, which would be terrible if Brilliant fell to evil chickens or something. But I want this to come into the view an admin, because if just one crazy 6th grader gets on and finds this, he/she might have been stealing cookies from users years back without anybody noticing.

Still, I could be wrong as normal, because XSS is pretty much the number 1 most popular attack vector followed by SQL and XSRF. I do believe that it is just a mistake; I've tested on my own website (with permissions from myself) and found it is remarkably easy to forget just once to sanitize the html field. Plus, this happened to many giants in the past years such as Facebook, Edmodo, Google, Myspace (remember the Sami worm?), so could Brilliant evade an growing flaw before someone exploits it?

Hey, I'm pretty sure half of you nerds already found this and pfsh lol spock, nothing is gonna happen. But if I am wrong, please tell me about how so. I'm new to web flaws, give me a shout in the description so at least I know I'm not yelling into the darkness, I'll update if I forgot to mention something. Also, I intend no harm on Brilliant company I love this website tis of thee viva la brilliante don't get mad at me.

Note by Spock Weakhypercharge
3 years, 5 months ago

No vote yet
1 vote


Sort by:

Top Newest

We take all measures we can think of to try to secure our code and the site in general. We are aware of most of the things that can happen and we do our best to eliminate them. However, as many people are aware, it's virtually impossible to write code of significant complexity without some kind of vulnerability.

If you email support@brilliant.org and give a list of what you would like to test, I can review it and possibly give permission to do some vulnerability testing.

Sam Solomon Staff - 3 years, 5 months ago

Log in to reply

Greatest reverance! Honestly, I meant for this post to be a heads up over a minor one-time-slip because it happens to me all the time. I will certainly research and consider this carefully, however, I am well aware this website knows what it is doing. The script looks nicely encrypted beyond my experience and there csrf tokens everywhere as well as really salty hashes. I'm not the best for vulnerability tests, but I will certainly email if it improves Brilliant in any way.

Spock Weakhypercharge - 3 years, 5 months ago

Log in to reply

OK, I sent it. I also tend to use the Mozilla add-on hackbar to quickly test and secure my websites against general attacks.

Spock Weakhypercharge - 3 years, 5 months ago

Log in to reply

This seems like something @Sam Solomon would be able to answer.

Daniel Hirschberg - 3 years, 5 months ago

Log in to reply


This is another thing that I'm coming from, kk?

Spock Weakhypercharge - 3 years, 5 months ago

Log in to reply


Problem Loading...

Note Loading...

Set Loading...