Story of stealing mail conversation, contacts in mail.ru and myMail iOS applications via XSS
In June 2020, I found a stored XSS bug that could allow an attacker to steal user email conversations, contacts in mail.ru and myMail iOS applications (version 12.2.1). Mail.ru is one of the biggest organization in Russian and registered over 100 Millions active accounts.
The Story of the Bug
The bug occurs due to lack of validation in SVG image file. An example of SVG XSS is
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert("XSS");</script></svg>
When a user viewed above SVG file, XSS is pop-up as shown in below.
Finding valuable file
I stared hating to report without showing an impact and also XSS in attachment is most likely to close as informative in mail application. So, I stared digging around the application file structure.
First, I just thinking about dumping /etc/passwd as PoC but in iPhone /etc/passwd is just a sandbox feature and so I have to retrieve something. Luckily, I have jailbroken iPhone 5 and so I can view every file and folder within iPhone. Application data in iOS file structure stored in /private/var/mobile/Containers/Shared/AppGroup/followed by random folder as shown in below.
I asked myself, how I can know which folder contains mail.ru application data. The folders name will not be same in every iPhone(folder itself and some files inside that folder will remain the same) and I realized that I need to get folder path via XSS. So, I used alert(location.href); in SVG file and send a mail to myself, after that I got folder location.
Then I browse to that folder and saw few SQLite database files + some folders.
After downloading and viewing each file in that folder, I realized that mail_cache.sq3 file contains email conversation, contacts, payment information and almost everything.
So, I choose to retrieve this SQLite database to my server. If I can get this database, it is enough to show the impact of this XSS bug and I can reported with a nice PoC to mail.ru. I start writing my PoC script, viewed crafted SVG file in my iPhone(which has no jailbreak) and yes I can verify the file exists by popping the contents of the file.
Defeating errors and writing a workable PoC
So, I stared to write a PoC in order to upload whole SQLite database to my server but I got a lot of errors and only some small portions of the file is send to my server. After fixing errors over 4 hrs, I can upload whole SQLite database file to my server with below SVG file.
The script firstly read mail.ru folder location, read the mail_cache.sq3 folder and then upload the whole file to attacker controlled server. Then I send this SVG file to user who used mail.ru and my.com applications. If user viewed attacker crafted SVG file, his SQLite database(containing email conversations, contacts ..etc.) will send to attacker and attacker can view email conversations, contacts ..etc as shown in below.
Conclusion
I quickly reported to the program and Mail.ru rewarded $1000 as a bounty. Thanks for your reward :).
The program manager said, this is not Stored XSS vulnerability and the bug is Cross application scripting (CAS). For my understanding, the vulnerability that can execute JavaScript in iOS is called XSS. May be I was wrong or ..
After they fixed the bug, I request them to disclose about my report and they confirmed they will disclose the bug in few weeks so I have a permission to write about the bug in Medium :).
