Mail.ru: User session access due to Oauth whitelist host bypass and postMessage

A destination for postMessage was not properly restricted on connect.mail.ru allowing crossite access to session, as was shown for 3k.mail.ru application session. Both connect.mail.ru and 3k.mail.ru belong to Ext.B scope, this scope does not offer a bounty for attacks with clientside vectors on t...

Mail.ru: CSRF Vulnerability at https://aw.my.com/

CSRF vulnerability allowed to change userbar settings in https://aw.my.com/ https://aw.my.com/ belongs to Ext.B scope...

Mail.ru: SSRF On [ allods.mail.ru ]

SSRF in allods.mail.ru. allods.mail.ru belongs to Ext.B scope...