I want share about my finding in Microsoft outlook IOS application that could affect 2.62.0 and below. I’m not bounty hunter and i really don’t want to become. When I have free time, i choose random websites or apps. Two months ago, i upload a file via Microsoft out using web based application with extension name….
'"><img src=x onerror="alert(window.clientInformation.appVersion);">.jpg
Nothing happened in their core website and i think “Wait what if vulnerable to XSS in ios app?” and then i opened this message via ios app and the result is
I speak myself “OMG!!”. The problem is that they missed to standardize in IOS side. Yes, they do properly in outlook.live.com. So this vulnerability becomes Stored(blind) XSS.
I reported to Microsoft MSRC and they placed my name in their security researcher list, lol i don’t think myself as security researcher.
Thanks everyone who read this writeup.