Recently on an independent research I've found the Goodreads API was vulnerable to a Reflected Cross-site scripting.
The issue happens on their REST API on a callback function parameter. No sanitizing mechanism was found and the parameter is echoed back in the JSON payload, allowing a malicious user to
potentially launch XSS attacks.
I've submitted the issue to the Goodreads' security team and this was quickly fixed.
Goodreads is an Amazon company with 55 millions of users. Their site is ranked 139 in the USA and 336 globally, according to Alexa.
Proof Of Concept:
Vulnerable API calls with XSS payload:
Vulnerability Disclosure Timeline:
2016-11-11: Goodreads notification
2016-11-11: Goodreads feedback
2016-11-15: Goodreads fix/patch
2016-12-12: Public disclosure