During last spring (2019) I started to “open and read” the Android applications before installing them. Reversing an APK file can be interesting to understand how an app works, how it manages the permissions and my data, if there are vulnerabilities. I was looking for a different Android mail client, so I started to reverse them and I found many mail clients on Play Store were - maybe are - vulnerable to Javascript injection....
Summary In Simplenote 1.1.3 - Desktop app there is a stored XSS vulnerability that can be used to execute arbitrary code. If there is malicious code in the note and the user tries to print it (for example to save it as a PDF), the malicious code runs. #358049 - RCE via Print function [Simplenote 1.1.3 - Desktop app] 27/05/2018 – I send the report 25/06/2018 – The vulnerability is fixed and the bug bounty reward is 250$...
After many unsuccessful attempts to find an XSS in Yahoo’s domains, I decided to move my attention to Microsoft Bing. If you have a Microsoft account, Bing allows you to save online content (images, videos and places) on the page My saves, and allows to create collections to better manage your own content. The titles of these collections were not properly filtered, so it was possible to break the code and inject persistent arbitrary code....
In November, I reported various persistent XSS vulnerabilities in AOL Mail to the AOL Security Team. They replied quickly and fixed the vulnerabilities in less than 90 days. 1. Using an unclosed tag, it was possible to inject arbitrary javascript code. The payload ran as soon as the victim opened the site mail.aol.com because the code was in the e-mail preview. 18/11/2017 - I send the report 28/11/2017 - The vulnerability is fixed and I’m rewarded by having my name written in the Hall of Fame...
ZOHO Mail is a business mail that includes integrated calendar, contacts, notes, and tasks apps. Initially I was looking for a stored XSS in the webmail, but I did not find it so I started checking the other services. I wondered if it was possible to inject malicious code via attachments in ZOHO Notes. By attaching a local file it wasn’t, but in ZOHO Notes you can attach files from some cloud services: Google Drive, Dropbox, Box and Evernote....