The following video demonstrates a postMessage flaw identified within the Apple iCloud service. In the video a Cross-Domain message is submitted to iCloud.com to remotely compromise the target users email account.
A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper published at;
http://www.sec-1.com/blog/2016/hunting-html-5-postmessage-vulnerabilities
And
http://appcheck-ng.com/hunting-html-5-postmessage-vulnerabilities/
