How We Are Able To Hack Any Company By Sending Message - $20,000 Bounty [CVE-2021–34506]
Published on 07 June 2025
![How We Are Able To Hack Any Company By Sending Message - $20,000 Bounty [CVE-2021–34506]](/images/default.png)
Hello Folks, I hope everyone is doing well in this pandemic & making full use of it for learning new stuff. This is a story about hacking into major companies like Facebook, Google, Microsoft, etc.
On June 3rd, me (Th3Pr0xyB0y / Vansh Devgan) and my friend MrRajputHacker (Shivam Kumar Singh) were hunting on a mail.ru subdomain (from Hackerone).
Since the program was in Russian and we were using Firefox with Burpsuite, we had trouble translating the page. We looked for translation extensions but found many were removed due to vulnerabilities. This led us to explore how vulnerable browser extensions can compromise security.
We then decided to target Microsoft Edge due to its built-in translator and bounty program. We discovered that translating a page with an <img src=x onerror=alert(1)> payload resulted in an XSS execution due to lack of input sanitization.
Below is the affected code snippet:
We created a POC.html file containing multi-language text and an XSS payload:
Steps To Reproduce
- Create and save a file named
POC.htmlwith the provided code snippet. - Run a local Python server in the same directory:
python3 -m http.server 80 - Open Microsoft Edge (Version 91.0.864.48) and visit http://localhost/POC.html
- Click "Translate" when prompted.
- XSS payload executes and shows
alert(1).
Note: A server is needed because Edge may not prompt for translation when opening a local file directly.
Conditions for Remote Exploit
- User must be using Microsoft Edge
- Auto-translate must be enabled
POC Video
Impact
- Any site reflecting
<img src=x onerror=alert(1)>becomes vulnerable. - Users who translate content from other languages could trigger XSS.
- All Microsoft Edge users with translation enabled are vulnerable.
- Malicious payloads in messages/emails in foreign languages could trigger XSS.
Exploitation Scenarios
Create a profile with a foreign language + XSS name and send friend request. When viewed in Edge with auto-translate: XSS triggers.
Leave a review with foreign language + XSS payload. When viewed in Edge: XSS triggers.
Windows Store Apps
Apps like Instagram running in web view with Microsoft Edge's translator are also vulnerable.
Timeline
- 3rd June 2021: Report sent to Microsoft
- 7th June 2021: Microsoft acknowledged the report
- 8th June 2021: Sent additional impact info
- 15th June 2021: Report triaged
- 17th June 2021: $20,000 bounty awarded
- 19th June 2021: Pre-release patch
- 24th June 2021: Patch released — CVE-2021–34506
Read Microsoft release and acknowledgement: Here
Resources to Learn
Thanks everyone for reading! Don’t forget to clap if you liked it.
Follow Us
- Twitter → @MrRajputHacker, @Th3Pr0xyB0y
- Instagram → @MrRajputHacker, @vanshdevgan
- LinkedIn → MrRajputHacker, th3pr0xyb0y
- Medium → @mrrajputhacker, @th3pr0xyb0y
