WEB.DE postMessage Origin Bypass PoC

Domain: pocweb.de | Origin: | CVSS 8.1 HIGH | CWE-346 | 14 of 18 tested use cases exploitable incl. mail_compose + settings

This page proves that pocweb.de can send IAC use-case commands to WEB.DE webmail via postMessage, because the origin validation uses host.includes("web.de") instead of exact domain matching. The victim must be logged into WEB.DE. NEW: mail_compose opens pre-filled email compose with attacker-controlled recipient, subject, body, and BCC.

CRITICAL: Email Compose (BEC Attack)

Integrity: High (persistent writes)

Confidentiality: Low (PII on screen)

Settings Hijacking (Persistent Account Compromise)

Navigation Hijacking + Cloud

Proof: Origin Bypass

Origin	host.includes("web.de")	Should pass?
`navigator.web.de`	true	Yes (legitimate)
`pocweb.de`	true	NO — bypass
`evilweb.de`	true	NO — bypass
`evil.com`	false	Correct

Security research by adriansie25 | Authorized via United Internet Bug Bounty | 2026-03-22 | Report: CWE-346 postMessage Origin Validation Error