Yahoo Mail XSS by just sending an E-mail

Vulnerability Type: Cross Site Scripting (XSS)
  • Reported on 18-03-2014
  • Fixed on 28-04-2014
#Denied with reason:
I'm closing this report as the bug is no longer valid. It is possible it was fixed due a duplicate report or it was fixed with a product update.
Steps to reproduce:

Use any E-mail service that allow us to use special characters in 'Name' while sending an E-mail.

There are many out there but we will use Yandex as an example here. (You can also use-

1. Login to your Yandex Account (or Create New) and go to

2. Set your name as:

" onmouseover=alert(0) a

and click on 'Save Changes' button.

3. Now, Go to

In 'To' field, write your own Yahoo Email Address. Fill other required fields (if any) and send the message.

4. Check your Yahoo Inbox. Click on [onmouseover=alert(0) a] name and move your mouse over 'New Message'.

You will see pop-up due to XSS vulnerability.

Proof Of Concept [Image]:

Proof Of Concept [Video]:

Google- Multiple Account Creation Bug [Write-up & Video]

Steps to reproduce bug:

1. Go to

2. Enter your mobile number and click "Next". You will receive a message on your phone. Open message and there would be a link like or

3. Go to the link in computer's web browser and confirm the verification. Follow the steps and create a Google account.

For verification: Open new tab and go to . You will be logged into the the account that you've just created.

4. Now, hit back button twice or till you're back to "Choose your username" page.

Enter New Username->Password->Account Created.

Hit back button, Enter New Username->Password->Account Created. Repeat it again and again.

To make this process more easier, create a bot and run it with multiple threads :)

Video (POC):

Lumia 920 Reward From Nokia for SQL Injection Report

SQL Injection (POC):

Reward Confirmation: XSS [FIXED] [HOF]

Vulnerability Type: Cross Site Scripting (XSS)
  • Reported on 28 June 3013
  • Fixed Now

Sign into Google account and go to:

Now, Tick the box "I want to use Google Spreadsheet to store, edit and upload my feed" and Select 2nd option.

It will ask us to enter the URL, type "javascript:alert(1)" without quotes and type "Click Me" in Doc's Title field.

Click OK. Now click on "Click Me" and you will see a Pop-up due to XSS vulnerability.


I reported this vulnerability to Google and I received below reply:

Due to the requirement for the victim to take a few actions, the panel has determined this bug didn't meet the threshold for a reward. Nonetheless, we'd like to acknowledge your assistance on our credit page ( under "Honorable Mention" - are you interested? If so, what name/link should we list?
It should be of the form: name - site [site link] 
I re-edited my URL :

Now, the victim has to only tick the "I want to use Google" option and click on "Click Me"

To make it more easier, we could write something else in place of  "Click Me" like:

  • Session Timed Out! Click To Login Again
  • Click here to Sign in

I re-submitted  and received below reply from Google-
Thank you for the followup however the decision stands as is.
The vulnerability was fixed after few days.

Paypal- Privilege Escalation Vulnerability [Delete Any User]

Vulnerability Type: Privilege Escalation

Vulnerable Website:

Status: Fixed

Vulnerability Overview: This vulnerability allowed an attacker to delete any user registered in


I forgot to take screenshots but I am sure my detail write-up will clear everything.

Google Play - Cross Site Scripting (XSS) Vulnerability

Vulnerability Type: Cross Site Scripting (XSS)

  • Reported on 16 July 3013
  • Fixed on 17 July 2013


Google recently changed it's design of Google Play which lead to this XSS vulnerability.

Head to Google Play settings (