An XSS vulnerability on Suia — found & fixed in 45 minutes

Suia is a Web3 social application on the Sui network — minting Sui NFTs and running on-chain NFT gifting and auctions — backed by the Sui Foundation, HashKey, SevenX, EVG, BingX and Y2Z.

While using Suia Club I found a stored cross-site scripting (XSS) vulnerability. Because it runs arbitrary JavaScript in other users' browsers, it could have been used to steal private keys and session cookies, and to manipulate transactions — putting user assets and the platform's integrity at real risk.

Responsible disclosure

I reported it to the Suia team immediately. Discovery to fix took about 45 minutes:

• 09:13 — confirmed the XSS on Suia Club
• 09:19 — started reaching out to the Suia team
• 09:23 — connected and reported the bug
• 09:58 — Suia team shipped a fix

Credit to the Suia team for the fast turnaround.