Brilliant and security holes?

First off, I'm going to be honest and say I'm not one of those brilliant Brilliant users (probably bottom 10%). I am new to JS, webdesign, html, php, JQ, and all the noob basics. To me, Brilliant is one of those giant imperialist CSS tanks that are flawless. I see you people out there making all sorts of witchcraft and inventing calculus. However, I've searched the archived posts and see none regarding this issue, if it even is an issue.

So I've sent a message to Brilliant support asking about this issue about a month ago without anybody answering. I waited a month to see if anybody would bring it up and embarrass themselves. I've got to be delicate here; I could just be making a fuss about nothing because there's no doubt that the staff here knows what they're doing, yet I still want to know if certain fields on the website (search bar and problem headings) are open to rudimentary non-persistent or reflected cross site scripting (XSS). It may even be open to persistent, but I scanned the terms and agreements and it would be impossible to check for that or SQL injections without violating my legal agreement. Another reason I'm reluctant to bring this up out in the open is because some other users might recognize that a form is open and put their malicious JS to potentially steal cookies, variables, phish, log keystrokes, redirect (dangerous), or forge requests, which would be terrible if Brilliant fell to evil chickens or something. But I want this to come into the view an admin, because if just one crazy 6th grader gets on and finds this, he/she might have been stealing cookies from users years back without anybody noticing.

Still, I could be wrong as normal, because XSS is pretty much the number 1 most popular attack vector followed by SQL and XSRF. I do believe that it is just a mistake; I've tested on my own website (with permissions from myself) and found it is remarkably easy to forget just once to sanitize the html field. Plus, this happened to many giants in the past years such as Facebook, Edmodo, Google, Myspace (remember the Sami worm?), so could Brilliant evade an growing flaw before someone exploits it?

Hey, I'm pretty sure half of you nerds already found this and pfsh lol spock, nothing is gonna happen. But if I am wrong, please tell me about how so. I'm new to web flaws, give me a shout in the description so at least I know I'm not yelling into the darkness, I'll update if I forgot to mention something. Also, I intend no harm on Brilliant company I love this website tis of thee viva la brilliante don't get mad at me.

Markdown

Appears as

*italics* or _italics_

italics

**bold** or __bold__

bold


- bulleted
- list

bulleted
list


1. numbered
2. list

numbered
list

Note: you must add a full line of space before and after lists for them to show up correctly

paragraph 1

paragraph 2

paragraph 1

paragraph 2

[example link](https://brilliant.org)

example link

> This is a quote

This is a quote

    # I indented these lines
    # 4 spaces, and now they show
    # up as a code block.

    print "hello world"

# I indented these lines
# 4 spaces, and now they show
# up as a code block.

print "hello world"

Math

Appears as

Remember to wrap math in $ ... $ or \[ ... \] to ensure proper formatting.

2 \times 3

2 \times 3

2^{34}

2^{34}

a_{i-1}

a_{i-1}

\frac{2}{3}

\frac{2}{3}

\sqrt{2}

\sqrt{2}

\sum_{i=1}^3

\sum_{i=1}^3

\sin \theta

\sin \theta

\boxed{123}

\boxed{123}

Easy Math Editor

This discussion board is a place to discuss our Daily Challenges and the math and science related to those challenges. Explanations are more than just a solution — they should explain the steps and thinking strategies that you used to obtain the solution. Comments should further the discussion of math and science.

When posting on Brilliant:

Use the emojis to react to an explanation, whether you're congratulating a job well done , or just really confused .
Ask specific questions about the challenge or the steps in somebody's explanation. Well-posed questions can add a lot to the discussion, but posting "I don't understand!" doesn't help anyone.
Try to contribute something new to the discussion, whether it is an extension, generalization or other idea related to the challenge.
Stay on topic — we're all here to learn more about math and science, not to hear about your favorite get-rich-quick scheme or current world events.

Markdown	Appears as
`italics` or `_italics_`	italics
`bold` or `__bold__`	bold
- bulleted - list	bulleted list
1. numbered 2. list	numbered list
Note: you must add a full line of space before and after lists for them to show up correctly
paragraph 1 paragraph 2	paragraph 1 paragraph 2
`[example link](https://brilliant.org)`	example link
`> This is a quote`	This is a quote
# I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world"	# I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world"

Math	Appears as
Remember to wrap math in `$` ... `$` or `\[` ... `\]` to ensure proper formatting.
`2 \times 3`	$2 \times 3$
`2^{34}`	$2^{34}$
`a_{i-1}`	$a_{i-1}$
`\frac{2}{3}`	$\frac{2}{3}$
`\sqrt{2}`	$\sqrt{2}$
`\sum_{i=1}^3`	$\sum_{i=1}^3$
`\sin \theta`	$\sin \theta$
`\boxed{123}`	$\boxed{123}$

Comments

This seems like something @Sam Solomon would be able to answer.

Daniel Hirschberg - 7 years, 1 month ago

We take all measures we can think of to try to secure our code and the site in general. We are aware of most of the things that can happen and we do our best to eliminate them. However, as many people are aware, it's virtually impossible to write code of significant complexity without some kind of vulnerability.

If you email [email protected] and give a list of what you would like to test, I can review it and possibly give permission to do some vulnerability testing.

Sam Solomon Staff - 7 years, 1 month ago

Greatest reverance! Honestly, I meant for this post to be a heads up over a minor one-time-slip because it happens to me all the time. I will certainly research and consider this carefully, however, I am well aware this website knows what it is doing. The script looks nicely encrypted beyond my experience and there csrf tokens everywhere as well as really salty hashes. I'm not the best for vulnerability tests, but I will certainly email if it improves Brilliant in any way.

Spock Weakhypercharge - 7 years ago

OK, I sent it. I also tend to use the Mozilla add-on hackbar to quickly test and secure my websites against general attacks.

https://brilliant.org/discussions/thread/is-brilliant-vulnerable-to-heartbleed/

This is another thing that I'm coming from, kk?

Spock Weakhypercharge - 7 years, 1 month ago

Math	Appears as
Remember to wrap math in `\(` ... `\)` or `\[` ... `\]` to ensure proper formatting.
`2 \times 3`	$2 \times 3$
`2^{34}`	$2^{34}$
`a_{i-1}`	$a_{i-1}$
`\frac{2}{3}`	$\frac{2}{3}$
`\sqrt{2}`	$\sqrt{2}$
`\sum_{i=1}^3`	$\sum_{i=1}^3$
`\sin \theta`	$\sin \theta$
`\boxed{123}`	$\boxed{123}$