Mail.ru: Cross application scripting via account.mail.ru

2018-12-20T20:21:17
ID H1:470380
Type hackerone
Reporter petser
Modified 2019-03-11T11:56:08

Description

Crossapplication scripting via User-Agent on push login confirmation functionality in mobile application in the context of account.mail.ru domain allowed session hijacking with minimal user interaction.