XSS hijack found in 180,000 member gaming site.

2 weeks ago, I found an xss hijack in a 180,000 member gaming site, a pretty crazy one too...I also found around 6-7 SQL injections. Well, the sql injections were nothing, and I already reported them to the admin of the website.

But, the XSS (Cross-site scripting) hijack I found, enables anybody to get any member's username and password for the site. I even logged in as the administrator for a moment (it was nice XSS hijack found in 180,000 member gaming site. ), and I told him right after, about the security hole, and he wants me to give him the hole...but, I think it is QUITE a damn security hole if I can get ANY members username and password to the site...I charged him a LOW $50.00, and he said he will never pay me for it, so I said I would never tell him how to fix the hole, and where the hole is...so we're kind of stuck in that position.

You guys think I should be charging the owner more than 50.00 for such a huge security exploit? The guy makes 1200.00 bucks in ads a month, (this is what he told me), he probably makes even more than that, yet he can't afford 50.00 for a extremely huge hole. The guy thinks it's a Mozilla bug instead.

What do you guys think?

 

 

 

 

Top