My Experience Reporting an XSS Vulnerability on Shein to HackerOne

On August 30, 2024, at 2:20 PM UTC, I responsibly disclosed an XSS (Cross-Site Scripting) vulnerability on Shein to HackerOne. This vulnerability allowed me to create an alert box, demonstrating an injection point that could be further exploited. However, what followed was a frustrating experience highlighting the difficulties of reporting security flaws to certain companies.

After submitting my report, I received the following response from an analyst at HackerOne:

Thanks for bringing this to our attention. Text/Content injection is a low severity issue that does not generally meet the bar for a security concern, since it relies on social engineering. Nevertheless, if you managed to demonstrate HTML injection, we would be more than happy to re-examine your submission.

Your effort is nonetheless appreciated and we wish that you’ll continue to research and submit any future security issues you find.

Regards, @h1_analyst_leevi

In response, I executed the following:

Instead of accepting their initial verdict, I decided to go back and further investigate the vulnerability across all Shein domains. I was able to exploit the same flaw multiple times, proving that this was not just a simple content injection but an exploitable XSS vulnerability.

I resubmitted my findings, expecting a more thorough review. However, despite my efforts, my report was ultimately marked as informative with no further action taken. My attempts to follow up were ignored, and Shein chose not to address the issue.

Cross-Site Scripting vulnerabilities are not just minor nuisances. Depending on the context, they can be leveraged for session hijacking, credential theft, phishing attacks, and other malicious activities. Companies like Shein, which handle a vast amount of user data, should take such reports seriously rather than Hackerone dismissing them outright.

This experience raises an ongoing concern within the bug bounty community: how certain individuals disregard valid security reports. While platforms like HackerOne provide a bridge between ethical hackers and organizations, there are times when it appears that there is a large downplay on issues to avoid payouts or public scrutiny.

If HackerOne had properly addressed the report, they could have improved their client’s security posture promptly and protected their users from potential attacks. Instead, they chose to ignore it.

I share this story not out of frustration alone, but to raise awareness about the challenges security researchers face when working with some companies. Responsible disclosure should be a two-way effort, but when companies dismiss valid security concerns, they leave their users exposed.

Have you ever had a similar experience with bug bounty programs? Drop a comment below and let’s discuss.

In truth, I am at a point where I have a backlog of unexposed findings and a lack to share every single one of them. I find more enjoyment in helping those who are willing to collaborate with me and find solutions. With that said, it is still important to make earnings, and lack of earnings has a huge effect on motivation. I feel that a security risk now lies in the fact that there is no real value in ethical hacking at times, and such a viewpoint could easily sway people into mischievous routes. I hope there is a great improvement.

Sign up and subscribe because there are more bombshells to be dropped, you don’t want to miss out!