A 2FA bypass vulnerability was discovered on Pandao.ru (Mail.ru's extended program) where CSRF tokens used to disable 2FA never expire, allowing an attacker to reuse the same token to disable 2FA on victim accounts. The vulnerability was reported but no bounty was awarded as the program excludes client-side attacks.
A researcher demonstrates a full account takeover vulnerability combining misconfigured CORS with socket-based connections. By exploiting CORS headers that allow credentials and replicating a chain of five interdependent socket requests through JavaScript, an attacker can extract sensitive session tokens from victims and hijack their accounts.
A CSRF vulnerability on Mail.ru's Pandao.ru subdomain allowed disabling 2FA on victim accounts by reusing a non-expiring CSRF token, demonstrating a client-side authentication bypass technique via malicious HTML file delivery.
A writeup demonstrating how chaining self-XSS with clickjacking (UI redressing) via missing X-Frame-Options header can achieve session hijacking by stealing victim cookies through a drag-and-drop PoC that executes malicious JavaScript on the victim's browser.
A researcher discovered a reflected XSS vulnerability on a login page's redirect parameter that allowed stealing user credentials by injecting JavaScript code to exfiltrate email and password values, resulting in a $100 bounty.