Hello, your site is vulnerable to XSS from the profile about form.

https://status.cafe/users/div

Observe.

I am sorry to inform you of this publicly. Feel free to delete this message.

<img src="x" onerror="window.location.href = 'https://divsel.neocities.org'" />

In the mean time, if you're a user who is interested in mitigating this problem, you can use NoScript Suite to mark JS from this domain as untrusted.

Last edited on 2023-07-13 00:17:44

Bump! This still happens.

Yep, there's an XSS worm going around right now. I'm using the NoScript Suite for now to block it as suggested by div, but it also means that statuscafe widgets are disabled on external websites which is really annoying.

Is there no fix for this yet besides using NoScript? It's still going around.

AGREED, this is still VERY MUCH happening. I noticed this today and thought I was going crazy. @@; I’m hoping we don’t have to be worried about something happening to our account, but hopefully this can get looked at at some point.

The only other workaround I can think of is removing all the content from the profile section entirely, but that seems extreme and I’d rather save it for a last resort.

just got wormed :-p does this not put all of status.cafe users in danger? why has this not fixed yet or at least addressed? X_X

This is still happening. For now to mitigate this, disable JS on status.cafe user profiles entirely.

This is a thing for uBlock Origin users (put it on your custom filter lists):

||*status.cafe/users/*$csp=script-src 'none'

That will just disable scripts on status.cafe user profiles but it wouldn't block status.cafe widgets.

To test it, I put a simple thing on my profile that if you click it it would just send an alert and redirect you here. If it's blocked successfully it should not show an alert but it should redirect you here.

https://status.cafe/users/jbcarreon123

Last edited on 2025-05-21 10:25:43

Unsure how an XSS worm works but I do suggest adopting jbcarreon123's temporary solution. The only thing you're missing out on with it is some custom scripts on profiles, and a vast majority of profiles don't use those lol. Like getting free medicine but you have to trade a single spoon for it; insignificant consequence

this just happened to me as well. haven't seen it talked about anywhere outside of here, one neocities comment, and one pillowfort comment. is there any way to actually get rid of it? makes me not want to use status cafe because of this vulnerability!

thank you jbcarreon123 for the temporary fix! i don't know how to personally apply it because i only have ublock origin lite but hopefully it can help some others!

Last edited on 2025-06-06 18:13:49

just realised same thing has happened to me, although dunno if that's the same piece of code the OP was writing about.

in my case it's some self-replicating javaScript payload. took a look at the code, it seems that it latches onto your account while you're viewig an infected profile. when it's executed, it uses your session to update your own profile and pastes itself into your description, spreading itself further. while it seems to be rather harmless as in it won't steal your cookies or sth like that, and the creator tries so hard to be funny ("/the silly wormmade by ???should probably not infect the same person twicealso pls dont remove js, i think it'd be cool to keep it so that it allows funny stuff like this to happenxoxo and merry christmas"), it still violates safety and user consent. (i could get it all wrong though, i'm not a programmer, so if someone's willing to do double check - lemme know, i have my email added on my status.cafe page).

not so fun fact, something very similar happened to myspace 20 years ago (google computer worm called Samy) -- so i really hope we get some security updates :,) an option to change one's passwords also would be appreciated after sth like this

Yeah, you're correct.

After I made the mitigation, I looked at the code of the Worm and it does these things:

- It creates an hidden iframe on the same page of the site with a `?qw` URL query parameter, which runs the things below:

- It fetches the settings page, and appends itself on the user's about field (textarea)

- It appends a textarea and a submit button on the iframe content, then it clicks the submit button.

I think some solutions are:

- Sanitize user input. It already somewhat sanitizes input (like <script> tags is not allowed) but a full sanitization of user input is better than a half-baked one, as this worm uses inline event handlers (like onload or onerror)

- Implement better Content-Security-Policy headers (like preventing inline scripts from running on user pages) to prevent other XSS misuse.

- Implement better CORS to prevent scripts from fetching user settings for example

- Make it so the settings pages and such to block being able to load in iframes. This can be implemented by using X-Frame-Options or the Content-Security-Policy headers.

I might create a post about this so more people can be wary by it.

Just posted a post about it:

https://jbcarreon123.nekoweb.org/posts/status-cafe-xss/

thank you so much @jbcarreon123 for the full write-up! I just published a fix that fully sanitizes user input. While the older worm is still around, creating new one would be very difficult. I'll see what I can do for deleting the existing one!

I'm now preventing inline scripts in the content security policy - hopefully that prevents anyone from getting infected.

Thanks for fixing it! I also updated my post to say that it's been patched.

I'm hopeful that people will no longer get infected by this!

Oh btw after the CSP fix every profiles is broken - https://forum.status.cafe/topics/189#1115

Wow, I never expected this to get fixed.

I always assumed it was intended, since the site doesn't let you delete your posts or make any other destructive actions that would normally be problematic for a site vulnerable to XSS. It also doesn't require JS to operate, so a user who wants to block it can do so easily enough.

An attacker could have maybe forced a user to make spammy posts or edit their CSS or profile, like the worm did. But I figured it was designed that way, and that you were comfortable with just removing the accounts of anyone who abused the Javascript.

That being said I always thought it was a strange decision, since you can't help but feel uncomfortable about it and probably a lot of people have blocked JS on this domain for a long time.

It's the end of an era I guess.

That div user who reported this must have deleted their accounts.

Last edited on 2025-06-21 05:22:42