Black & White Path

Jun 10, 2026 · Information Security

How a Single Click Can Fully Compromise a Zoho Account: DOM XSS and PostMessage Misconfiguration Explained

A security researcher uncovered two critical Zoho flaws—a DOM‑based XSS on www.zoho.com.cn/assist/videos and a PostMessage configuration error on www.zoho.com—that together enable an attacker to hijack a user’s account with a single malicious link, read emails, capture OTPs, and gain full control.