We used chatbot code from IBM, and it was instantly vulnerable to XSS attacks (opens in new tab)

(github.com)

3 pointsftreml5y ago3 comments

3 comments

The repo reads like research code, and indeed seems to be an article's companion code plus platform example code. The code in question was committed in 2018 and never touched again.

That's no excuse, it pretty literally does "innerhtml = user_input" and it's awful. But it's not a flagship chatbot library from what I see, which probably lessens the impact of such awfulness.

ftremlOP5y ago

partially agree. In another repo, the same vulnerability was only fixed after years ...

https://github.com/watson-developer-cloud/assistant-simple/c...

ftremlOP5y ago

I wrote about security threats for chatbots

https://floriantreml.medium.com/security-threats-and-securit...

j / k navigate · click thread line to collapse

3 comments

lumpa5y ago

The repo reads like research code, and indeed seems to be an article's companion code plus platform example code. The code in question was committed in 2018 and never touched again.

That's no excuse, it pretty literally does "innerhtml = user_input" and it's awful. But it's not a flagship chatbot library from what I see, which probably lessens the impact of such awfulness.

ftremlOP5y ago

partially agree. In another repo, the same vulnerability was only fixed after years ...

https://github.com/watson-developer-cloud/assistant-simple/c...

ftremlOP5y ago

I wrote about security threats for chatbots

https://floriantreml.medium.com/security-threats-and-securit...

j / k navigate · click thread line to collapse