Security researcher Rafay Baloch has identified cross-site scripting (XSS) and SQL Injection vulnerabilities on the “With Friends” website of social game developer Zynga, zyngawithfriends.com.Shortly after being notified, the company rushed to address the security holes.
“The response and the fix was very quick. As it was a SQL Injection vulnerability they had to fix it very quick as an attacker could have easily dumped the whole database. Therefore, they had fixed it quickly,” Rafay Baloch told me in an email.
Zynga has added the expert to its list of whitehats who reported vulnerabilities to the company in 2012.
To demonstrate the existence of the SQL Injection flaw, the researcher has provided a screenshot.
Back in December, Rafay Baloch was rewarded with $10,000 (8,000 EUR) by PayPal for disclosing a remote code execution vulnerability on paypal.com.