Thank You for Your Security Contribution
We celebrate the security researchers who help make Tuturuuu safer for everyone. Your vigilance and expertise are invaluable to our community.
Nguyen Nghia Hiep (vapour)
Security Researcher Extraordinaire
"Thank you for your valuable contribution to making Tuturuuu's products more secure. Your ethical approach to security research helps protect our users worldwide."
Vulnerability Discovery
This report has helped us identify a security vulnerability, allowing us to plan appropriate mitigations.
Stored Cross-Site Scripting (XSS) via SVG file upload
Description
A vulnerability was discovered that affects all Tuturuuu products and services that integrate Supabase-based storage management for avatar uploads. When users upload an SVG image to edit their avatar, this triggers a POST request to an endpoint that can be manipulated by a malicious actor. While Tuturuuu infrastructure automatically blocks scripts from running on Tuturuuu-powered websites, this vulnerability becomes exploitable when users directly access the uploaded SVG file through the Supabase storage link.
Impact
If a user were to access the SVG file directly via the Supabase storage link, malicious JavaScript code embedded within the SVG could be executed, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This is a low-priority issue as it does not affect end users who do not directly access avatar images from the Supabase storage URLs.
Recommended Remediation
The recommended solution is to restrict SVG file uploads or implement server-side sanitization of SVG content to remove JavaScript before storage.
Future Patching Plan
Future patching will include blocking public uploads to the Supabase avatars folder, implementing SVG sanitization on our backend servers, and enhancing the security procedures for handling image-related uploads. This will involve more thorough business logic validation and improved content security policies.
Join Our Bug Bounty Program
Help us identify security vulnerabilities and get recognized for your contributions. We value ethical security research.
Program Benefits
Recognition
Get your name listed on our Bug Bounty Hall of Fame
Direct Communication
Work directly with our security team
Global Impact
Help protect Tuturuuu users around the world
Found a vulnerability?
Report it responsibly and join our list of security contributors.
