Ehsan Cod3r Discovers Mail.Ru Vulnerability

Iranian whitehat cybersecurity researcher Ehsan Hosseini -aka Ehsan Cod3r- has disclosed a send edited message vulnerability in the Russian mail provider software mail.ru. The vulnerability is in the design allowing a potential privilege escaltion to the attacker. Ehsan Cod3r also credits Porya.

Site: https://e.mail.ru/

See the following links from Ehsan to show how the application was vulnerable:

Video : https://youtu.be/cEiik4mE-pM
Result : https://cdn.pbrd.co/images/gyMQ5rh1A.png
Summary of vulnerability is here and other vulnerabilities discovered by Ehsan is here

Responsible Disclosure Timeline

12 Sep 2016 – Discover Vulnerability
16 Sep 2016 – Report To Vendor
28 Sep 2016 – Mail.ru Confirmed This Issue
28 Sep 2016 – Mail.Ru rewarded $150 bounty.
01 Jan 2017 – Public Disclosure

Contact: [email protected]