![]() ![]() Bug was fixed within 24h and a new app update released! WOW! By the way, Android was not vulnerable. So ProtonMail app on iOS is not filtering out the tag.Īs I did not find any way to compromise my own user data but still thought this is something ProtonMail should know about, I sent a bug report which was accepted event when the vulnerability was already known. Send-MailMessage -SmtpServer $smtp -To $to -From $from -Subject $subject -Body $body -BodyAsHtmlĪnd yep… here we go again. ![]() So let’s write some script in Powershell (yeah, something new to me so I did it for learning): $smtp = "mymailserver" Need to dig deeper… as mostly all mail clients filter out script parts in new emails, it has be done manually. Next day, while this popup didn’t let me sleep (okay, littly baby was keeping me awake but that made me think about it more and more), I was checking the source in web mail and there was nothing. What did I just see? XSS JS popup on iPhone? No way! ![]() I was about to delete it in my ProtonMail web mail interface but eventually forgot about it.Ī day later I’ve cleaned up my ProtonMail inbox on my iPhone and saw something strange: Without big success so far.Ĭouple of days later the service I was testing on sent out an email like “Hey, how do you like our service?”. While doing some research on a BugCrowd program I’ve certanly also tried to find one or another XSS or injection vulnerability and changed account names and personal details within my reseracher account to XSS strings. So it came that I discovered a XSS vulnerability in an iOS app. A lot of things happen without intention. ![]()
0 Comments
Leave a Reply. |