Let me just start off saying I'm 100% amateur and I don't really know that much so I could be all wrong.
I was browsing the website and got redirected to a random URL. Tracing the requests back I found that the redirect was caused by improperly sanitized html. The exploit more or less gives you an iframe worth of functionality. This allows for very sophisticated phishing.
Firefox is not vulnerable to this (You might be able to guess what the vuln is from that).
Now this actually pales in comparison to the 2nd exploit I found. I'm significantly less sure this works but I'm still pretty sure it will. I have only tested it out on the preview mode and not published.
The preview mode DOES sanitize(hits their server and comes back, basic stuff like <script> gets cleaned up). It just doesn't do a very good job at it. Now, they could have 2 different checks, one being more secure when publishing but this seems unlikely. I'm not really familiar with the applicable laws so I'm not willing to actually publish an attack to test.
The 2nd exploit allows me pretty much free reign on their page. More or less it lets you execute whatever javascript you want.
I have sent the company 2x messages through a form they have for reporting securities vulnerabilities. However I'm not even sure that they got through as I never received a confirmation email (it said one would be sent).
I tried calling as well but I just discovered it last night and I haven't gotten through to anyone who knows anything.
My conundrum is this is an EXTREMELY popular website. Top 100 on Alexa, 30bn+ market cap. If this vulnerability is actually real I'm not sure I'm comfortable sitting on the information for a prolonged period of time considering how easy it would be to exploit.
In the meantime I'm going to continue to try and contact the company but I'm not really sure what my next steps should be otherwise.
Does the company have a bug bounty policy?
No?
Then keep your mouth shut and get on with your life.
A significant percentage of people in power will react to unsolicited warnings of security vulnerabilities by attacking you as though you were their enemy. Worse, the law is at least not clearly on your side. This is not theoretical: people have come to significant harm in this way. Being a hero is great. Being a martyr? Not so much. You don't want next week's top HN story to be an appeal for donations to the legal defense fund of sah88.