ICQ

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.icq.com URL medium medium medium critical
### API (icq.com) and the main web landing **What it does:** This is domain with some API endpoints (see domain names below for functionality description). Also there is the main web landing https://icq.com where user can update profile, request reset password and etc. * icq.com * files.icq.com * wapi.icq.com * store.icq.com * search.icq.com **What security issues best to look for:** Critical web application security flaws from [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) such as: Injections, Broken Authentication, Sensitive Data Exposure, Broken Access Control. Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) are accepted with low impact (except web.icq.com, use different asset). **What it runs on:** PHP, Nginx
*.icq.net URL medium medium medium critical
### API (icq.net) **What it does:** This is sandbox domain with API and static data * api.icq.net * bos.icq.net * rapi.icq.net * botapi.icq.net **What security issues best to look for:** Critical web application security flaws from [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) such as: Injections, Broken Authentication, Sensitive Data Exposure, Broken Access Control. Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) **are not accepted**. **What it runs on:** C/C++, PHP, Nginx
ICQ DOWNLOADABLE_EXECUTABLES high high high critical
### ICQ desktop application **What it does:**This is official ICQ desktop client for Windows, Linux, Mac OS X. It runs native OS code and have connections to the API endpoints. **What security issues best to look for:** Remote Code Execution in client, Remote permanent (resistant to application restart) DoS against application, Broken Authentication, Sensitive Data Exposure, Broken Access Control. **Reports based on the source code are not accepted**. Confirm the problem actually exists in application and report it for executable. **What it runs on:** C++, QT, boost, ffmpeg, libevent. Source code is available on GitHub https://github.com/mailru/icqdesktop.
agent.mail.ru URL low low medium high
## Mail.Ru Agent the main web landing page **What it does**: This is the main web product page https://agent.mail.ru/ where user can download Mail.Ru Agent applications for specific platforms. **What security issues best to look for:** Critical web application security flaws from [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) such as Injections. **What it runs on:** PHP, Nginx
com.icq.icqfree APPLE_STORE_APP_ID high high high critical
### ICQ for iOS **What it does:** This is official ICQ for iOS client. It runs native mobile OS code and have connections to the API endpoints. **What security issues best to look for:**Mobile application security flaws from [OWASP Mobile Security Project](https://www.owasp.org/index.php/OWASP_Mobile_Security_Project) such as: Improper Platform Usage, Insecure Communication and Insecure Data Storage, remote permanent (resistant to application restart) DoS against application. **What it runs on:** Objective-C, C++, Objective C++, boost, rapidjson, sqlpp11, cpplog
com.icq.mobile.client GOOGLE_PLAY_APP_ID high high high critical
### ICQ for Android **What it does:** This is official ICQ for Android client. It runs native mobile OS code and have connections to the API endpoints. **What security issues best to look for:** Mobile application security flaws from [OWASP Mobile Security Project](https://www.owasp.org/index.php/OWASP_Mobile_Security_Project) such as: Improper Platform Usage, Insecure Communication and Insecure Data Storage, remote permanent (resistant to application restart) DoS against application. **What it runs on:** Java, Kotlin, OkHttp, ffmpeg, gson
web.icq.com URL high high high critical
### ICQ web application **What it does**: This is official ICQ web application client. So you need only modern web browser to use ICQ. It is static and all requests and features interact with the API. **What security issues best to look for:** Common web application security flaws from [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) such as: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). **What it runs on:** HTML, JavaScript, Nginx

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Mail.Ru Agent DOWNLOADABLE_EXECUTABLES none
## Mail.Ru Agent desktop application Please, search for security issues in ICQ desktop application.
https://github.com/mailru/icqdesktop SOURCE_CODE critical
Reports based on the source code are not accepted. Confirm the problem actually exists in application and report it for executable.
ru.mail GOOGLE_PLAY_APP_ID none
## Mail.Ru Agent for Android Please, search for security issues in ICQ for Android
ru.mail.agent APPLE_STORE_APP_ID none
## Mail.Ru Agent for iOS Please, search for security issues in ICQ for iOS
webagent.mail.ru URL none
## Mail.Ru Agent web application **What it does:** This is official Mail.Ru Agent web application client https://webagent.mail.ru/webim/agent/popup.html. Please, search for security issues in ICQ web application.