October 26, 2016
Application security is often overlooked. Perhaps this is due to a lack of understanding, or perhaps a focus on features and aesthetics is more alluring for developers. A modest data breach can render valuable data vulnerable, and can cripple customer trust in your application.
The way the Square API delivers JSON output makes it possible for an attacker to engage in a cross-site scripting (XSS) under certain circumstances. The vulnerability was discovered by security researcher Ajay Chavda and reported to Square on August 7, 2015 through its bounty program on hackerone.