Anyway, while playing this game, I discovered a stored XSS vulnerability in DOTS. Here’s how it came about.
XSS in a Mobile Game?
So, while playing the multiplayer mode of DOTS, I noticed that there was a “Share” feature. This feature allows you to share (or brag about) your scores with a friend. What happens is that the app uploads your scores and names to the web server (I haven’t looked into the exact HTTP request that it makes), gets back a unique URL, then allows you to send this URL to someone.