Hi, I’m Seif Elsallamy a bug hunter from Seekurity Team, Today i will show you a critical reflected Cross Site Scripting bug affecting mail.ru and could be used as an XSS worm but first let’s dive into some general information.
What is mail.ru?
mail.ru is a Russian mailing services like yahoo, hotmail and gmail.
Mail.Ru Group, ООО (commonly referred to as Mail.Ru) is a Russian Internet company. It was started in 1998 as an e-mail service and went on to become a major corporate figure in the Russian-speaking segment of the Internet. As of 2013 according to comScore, websites owned by Mail.ru collectively had the largest audience in Russia and captured the most screen time. Mail.Ru’s sites reach approximately 86% of Russian Internet users on a monthly basis and the company is in the top 5 of largest Internet companies, based on the number of total pages viewed. Mail.ru controls the 3 largest Russian social networking sites. It operates the second and third most popular Russian social networking sites, Odnoklassniki and Moi Mir, respectively. Mail.ru holds 100% of shares of Russia’s most popular social network VKontakte and minority stakes in Qiwi, formerly OE Investments (15.04%). It also operates two instant messaging networks (Mail.Ru Agent and ICQ), an e-mail service and Internet portal Mail.ru, as well as a number of online games.
What is Cross-site scripting AKA XSS? And why ours is stored?
What is eml files?
Used by many email clients including Novell GroupWise, Microsoft Outlook Express, Lotus notes, Windows Mail, Mozilla Thunderbird, and Postbox. .eml files contain the email contents as plain text in MIME format, containing the email header and body, including attachments in one or more of several formats.
Now lets back to mail.ru bug….
Mail.ru is parsing .eml files and fetches the “subject” automatically then reflecting it in the email subject without sanitizing, filtering or validating it for malicious content which was the main root cause for our Stored XSS to occur.
So to reproduce this behavior, We simply created a new eml file “test.eml”, Edited this file and included a simple XSS payload ie. “subject : <script>alert(“XSS”);</script>” then we saved the file, After that we went to we navigated to “m.mail.ru” (the mobile version of mail.ru), Created a new mail, uploaded the eml file and then we hit “send”
Once a victim receive our malicious message, Opening it, you will find this lovely and cute popup alert box with word “XSS” inside it which mean that the script has been executed so that’s mean XSS occurs.
Impact of a simple attack scenario:
Imagine that an XSS work behavior which spreads over your mail.ru contacts, send the same malicious message to all of your contact with a JS execution of stealing user’s session and act on behalf of the currently logged in user! And possibilities are endless here.
We responsibly disclosed the vulnerability to Mail.ru through their HackerOne bug bounty program and they fixed it and rewarded us with a generous bounty, Thanks Mail.ru