Iranian whitehat cybersecurity researcher Ehsan Hosseini -aka Ehsan Cod3r- has disclosed a send edited message vulnerability in the Russian mail provider software mail.ru. The vulnerability is in the design allowing a potential privilege escaltion to the attacker. Ehsan Cod3r also credits Porya.
See the following links from Ehsan to show how the application was vulnerable:
Responsible Disclosure Timeline
12 Sep 2016 – Discover Vulnerability
16 Sep 2016 – Report To Vendor
28 Sep 2016 – Mail.ru Confirmed This Issue
28 Sep 2016 – Mail.Ru rewarded $150 bounty.
01 Jan 2017 – Public Disclosure
Contact: [email protected]