Ehsan Cod3r Discovers Mail.Ru Vulnerability
Iranian whitehat cybersecurity researcher Ehsan Hosseini -aka Ehsan Cod3r- has disclosed a send edited message vulnerability in the Russian mail provider software mail.ru. The vulnerability is in the design allowing a potential privilege escaltion to the attacker. Ehsan Cod3r also credits Porya.
See the following links from Ehsan to show how the application was vulnerable:
Video : https://youtu.be/cEiik4mE-pM
Result : https://cdn.pbrd.co/images/gyMQ5rh1A.png
Summary of vulnerability is here and other vulnerabilities discovered by Ehsan is here
Responsible Disclosure Timeline
12 Sep 2016 – Discover Vulnerability
16 Sep 2016 – Report To Vendor
28 Sep 2016 – Mail.ru Confirmed This Issue
28 Sep 2016 – Mail.Ru rewarded $150 bounty.
01 Jan 2017 – Public Disclosure
Contact: [email protected]