Detailed Technical Analysis of "Story of Stealing Mail Conversation & Contacts in Mail.ru and MyMail iOS Applications via XSS"

Overview:
This write-up, authored by K0ala, delves into a Cross-Site Scripting (XSS) vulnerability found in the Mail.ru and MyMail iOS applications, which allowed the theft of email conversations and contacts. It details the discovery, exploitation methodology, and the remediation of this security flaw, demonstrating how client-side vulnerabilities in mobile applications can be leveraged to extract sensitive user data.

Key Technical Details:

  1. Discovery of the Vulnerability:
    The author identified that both Mail.ru and MyMail iOS applications were susceptible to XSS after setting up a testing environment using the BURP suite and injecting malicious scripts into email messages.

  2. Embedding XSS Payloads in Email Content:
    The primary technique used was embedding JavaScript payloads within the body of an email. When the email was received and viewed on the iOS application, the embedded script executed, allowing unauthorized actions.

    • Payload Example: <img src="x" onerror="alert('XSS')"> was utilized as a basic payload to prove the XSS vulnerability. This example relies on triggering JavaScript via the onerror event handler in an img tag.
  3. Exploitation Approach:

    • Malicious Email Sending: The attacker sends an email containing the embedded XSS payload to the target user's email address.
    • Script Execution: When the recipient opens the email on their iOS Mail.ru or MyMail application, the malicious script executes in the context of the mobile application.
    • Fetching Sensitive Data: The script can now access local storage, cookies, or any accessible DOM elements containing sensitive information such as email conversations, contacts, or session tokens.
  4. JavaScript Capabilities:

    • Dom Manipulation: The exploit script utilized JavaScript DOM manipulation techniques to extract data.
    • Network Requests: JavaScript's XMLHttpRequest or the newer fetch API were leveraged to send the extracted data back to a remote server under the attacker’s control.
    • Session Hijacking: The stealing of session tokens or authentication cookies granted the attacker further access to the user’s account.
  5. Security Misconfigurations:

    • Lack of Content Security Policy (CSP): The absence or poor implementation of CSP in the mobile applications made it easier for the XSS payload to execute once injected.
    • Inadequate Input Sanitization: Both email-string content and other parts of the emails were not adequately sanitized or escaped, leading to the execution of arbitrary JavaScript.
  6. Testing and Validation:

    • The author tested the XSS payloads in multiple scenarios to ensure consistent execution across different versions of the iOS applications.
    • The use of various debugging and interception proxies like BURP suite helped in constructing and verifying the effectiveness of XSS payload delivery.
  7. Reporting and Patching:

    • Responsible Disclosure: The vulnerabilities were responsibly disclosed to Mail.ru Group's security team, allowing them to patch the issues without causing harm to the end-users.
    • Patch Implementation: Post disclosure, the vulnerabilities were addressed by updating the application's sanitization mechanisms to prevent the successful embedding and execution of malicious scripts.

Key Takeaways:

Conclusion:

The write-up underscores the necessity for rigorous input validation and secure coding practices in developing email clients and other web applications. The identification and responsible reporting of the XSS vulnerability by K0ala highlight the importance of community contributions in improving the overall security landscape of widely-used applications.

For full details, check the original write-up here.