XSS when replying / forwarding to a malicious email on iOS

ID H1:264177
Type hackerone
Reporter pwnsdx
Modified 2017-12-28T15:04:02


Domain, site, application for iOS

Testing environment

iOS 10

Steps to reproduce

1) Send you a mail with something like this in the From field: =?utf-8?b?PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+?

Note: This is a base64 string of "<script>alert(document.cookie)</script>"

2) Try to forward or reply to that email.

Note: If you kill the app from the iOS multitask and run it again, the reply / forward will show again, executing one more time the JS code.

Actual results

JS alert with current cookies is shown

Expected results, security impact description and recommendations

Nothing happens

PoC, exploit code, screenshots, video, references, additional resources

Payload is: From: =?utf-8?b?PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+?

Video has been attached.