Story of stealing mail conversation, contacts in mail.ru and myMail iOS applications via XSS

kminthein
kminthein
Jun 30, 2020 · 4 min read

In June 2020, I found a stored XSS bug that could allow an attacker to steal user email conversations, contacts in mail.ru and myMail iOS applications (version 12.2.1). Mail.ru is one of the biggest organization in Russian and registered over 100 Millions active accounts.

The Story of the Bug

The bug occurs due to lack of validation in SVG image file. An example of SVG XSS is

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert("XSS");</script></svg>

When a user viewed above SVG file, XSS is pop-up as shown in below.

Image for post

Finding valuable file

I stared hating to report without showing an impact and also XSS in attachment is most likely to close as informative in mail application. So, I stared digging around the application file structure.

First, I just thinking about dumping /etc/passwd as PoC but in iPhone /etc/passwd is just a sandbox feature and so I have to retrieve something. Luckily, I have jailbroken iPhone 5 and so I can view every file and folder within iPhone. Application data in iOS file structure stored in /private/var/mobile/Containers/Shared/AppGroup/followed by random folder as shown in below.

Image for post

I asked myself, how I can know which folder contains mail.ru application data. The folders name will not be same in every iPhone(folder itself and some files inside that folder will remain the same) and I realized that I need to get folder path via XSS. So, I used alert(location.href); in SVG file and send a mail to myself, after that I got folder location.

Image for post

Then I browse to that folder and saw few SQLite database files + some folders.

Image for post

After downloading and viewing each file in that folder, I realized that mail_cache.sq3 file contains email conversation, contacts, payment information and almost everything.

Image for post
Image for post
Email Conversations
Image for post
Contacts

So, I choose to retrieve this SQLite database to my server. If I can get this database, it is enough to show the impact of this XSS bug and I can reported with a nice PoC to mail.ru. I start writing my PoC script, viewed crafted SVG file in my iPhone(which has no jailbreak) and yes I can verify the file exists by popping the contents of the file.

Image for post

Defeating errors and writing a workable PoC

So, I stared to write a PoC in order to upload whole SQLite database to my server but I got a lot of errors and only some small portions of the file is send to my server. After fixing errors over 4 hrs, I can upload whole SQLite database file to my server with below SVG file.

Image for post
PoC script for dumping mail_cache.sq3

The script firstly read mail.ru folder location, read the mail_cache.sq3 folder and then upload the whole file to attacker controlled server. Then I send this SVG file to user who used mail.ru and my.com applications. If user viewed attacker crafted SVG file, his SQLite database(containing email conversations, contacts ..etc.) will send to attacker and attacker can view email conversations, contacts ..etc as shown in below.

Image for post

Conclusion

I quickly reported to the program and Mail.ru rewarded $1000 as a bounty. Thanks for your reward :).

Image for post

The program manager said, this is not Stored XSS vulnerability and the bug is Cross application scripting (CAS). For my understanding, the vulnerability that can execute JavaScript in iOS is called XSS. May be I was wrong or ..

Image for post

After they fixed the bug, I request them to disclose about my report and they confirmed they will disclose the bug in few weeks so I have a permission to write about the bug in Medium :).

qwerty

secblog

Sign up for kminthein

By qwerty

qwerty sec is here.... Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

kminthein

Written by

kminthein

What is your threat model....?

qwerty

qwerty

What is your threat model…?

kminthein

Written by

kminthein

What is your threat model....?

qwerty

qwerty

What is your threat model…?

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store