XSS in Zoho Mail

Hello Friends,

How are you all? I hope you are doing good. 

After a long time, I'm sharing another interesting finding here.


Last month I found an XSS vulnerability in Zoho Mail. 

I was busy with my exams. I had to send some work via email to my friend. So, I opened my laptop and then opened my google mail and saw that I've received so many emails. After completing my work and sending an email, I opened my other emails ie Yahoo, Zoho, Hotmail/Outlook etc. and read all emails but nothing was important.

So, I was closing my laptop and at that time, something clicked my mind that there is no image proxy on Zoho mail which is indeed a bug. I don't know why I was thinking that. So, I just visited Zoho mail and opened any random email which contain images and saw that there is an image proxy. Sad! I just copy the image address and opened the URL in the next tab of my browser and the URL look like this


I just changed the source parameter to anothersite.com/pic.jpg and Zoho shows the pic. Fine. After that, my bug hunting mode becomes activated and I just changed the source parameter to anothersite.com/pic.svg and Zoho display the picture then I again changed it to mysite.com/xss.svg and Boom! 
XSS Successfully executed.

So, I reported the issue quickly to Zoho and they triaged my report very fast after some minutes. 

They rewarded me a $200 bounty.

I also checked other vulnerabilities but didn't found any in that short time

Thanks for reading.

Hope you like this sharing.

Have a nice day.

Happy Hacking!


  1. Hi, I'm a newbie in the infosec community. May I ask how a mail provider with no image proxy is a bug ?

    Thanks in advance.

    1. Hi,

      Good question

      It's a vulnerability

      Because without image proxy, hackers can steal users data or fingerprint victims info (like IP, Useragent or OS etc.)

      Also, without image proxy it's possible to perform CSRF attack etc.



Post a Comment

Popular posts from this blog

A Tricky Open Redirect

DoS on WAF Protected Sites by Abusing Cookie