Skip to main content

Google Open Source Blog Clickjacking Vulnerability

Missing x-frame protection

            
Discovered on: 22nd, January 2017.            Research Time: 10:00 p.m to 12:00 a.m.

Earn more by display ads on blog with Lithific Ads

         Well-placed clicks can make you do unintended actions like DELETING your comments if there is no X-frame protection for any web page because it could be embedded in a frame of evil 😈websites. The attackers can place few clickable elements on the page and make the users perform sensitive actions.

I was testing on Yahoo! for vulnerabilities on 21st January and thought to check for Clickjacking vulnerability if other attacks couldn't succeed. I was successful in finding clickjacking vulnerability in one of the end points of finance.yahoo.com. I thought of submitting the bug to Yahoo! but unfortunately, this type of vulnerability was out of scope😑.

Later I thought of testing Google! because my rank was going down. It was around 10:00 p.m. I was just going through the Google Open Source blog (Domain opensource.googleblog.com), this is the place where Google updates any news about student's program or Software updates. I found that the page itself could be embedded in a frame.😉

I wrote code in HTML, CSS and Javascript. The URL of the comment section (Domain: apis.google.com) of the Blog was used as src value of <iframe> tag. Using CSS I made the comment section TRANSPARENT so that user may not know what he/she is doing. When the code is rendered in a web browser it looks like this.



When the user clicks on all the buttons the comment that the user made will be DELETED. How??

The following images show what was happening behind....

In the image below you could see the comments section hiding.
After Clicking Square 1, a drop down menu is shown. Square 2 is placed on Delete option, and after clicking on "2" an alert box would be shown whether to delete the comment or not.

Want to get icons for app Development Here  it's 






 After clicking "3"...



The Comment will be deleted 😃


Deleting the comment is one thing in the attack scenario. What else the attackers can make the users do?

1.) Can EDIT the comments.
2.) Report  users comments as ABUSE or SPAM
3.) MUTE others.
4.) +1 on users' comments.

I reported this to Google because the blog's comment section is vulnerable as the attackers may delete, edit the user's comments.  Within 24 hours my report was triaged and sent to the product team. Again I was expecting a "$" in the reply.

After a week I got the reply from the security team...

BAD LUCK  😞😞

Earn more by display ads on blog with Lithific Ads

Comments

  1. velraj15 April 2019 at 02:58



    The above points are very useful for my research. Please share more like this. Thanks!
    LoadRunner Training in Chennai
    performance testing training
    Loadrunner Training in Adyar
    QTP Training in Chennai
    qtp course in chennai
    .Net training in chennai
    Html5 Training in Chennai
    LoadRunner Training in Chennai

    ReplyDelete
  2. gmailcustomersupportservice6 August 2019 at 23:02

    thanks for sharing with us this information i really glade to read it and i appreciate your knowledge
    if you need any technical help so contact us and feel free to call:+1-866-535-7333
    http://www.gmailinformation.com/blog/google-drive-encryption/

    ReplyDelete
  3. Rajani1 May 2020 at 04:31

    Thank you for your post. This is excellent information.
    DevOps Training
    DevOps Online Training
    DevOps Training in Ameerpet

    ReplyDelete
  4. Janu22 May 2020 at 21:21

    Thanks for sharing with us this information i really glade to read it and i appreciate your knowledge



    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery














    ReplyDelete
  5. dhinesh26 July 2020 at 09:02

    Excellent Blog! I would Thanks for sharing this wonderful content.its very useful to us.I gained many unknown information, the way you have clearly explained is really fantastic.keep posting such useful information.
    Full Stack Training in Chennai | Certification | Online Training Course
    Full Stack Training in Bangalore | Certification | Online Training Course
    Full Stack Training in Hyderabad | Certification | Online Training Course
    Full Stack Developer Training in Chennai | Mean Stack Developer Training in Chennai
    Full Stack Training

    Full Stack Online Training

    ReplyDelete
  6. Elon Musk2 November 2020 at 02:47

    Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. source

    ReplyDelete

Post a Comment

Popular posts from this blog

Google form setting Bypass - Making my way to the Google's Hall of Fame !

  G o o g l e ! Bug : Circumventing "Limit to 1 response" of  Google forms  ( Parameter Injection )        Discovered on: 30th, November 2016.            Research Time: 2:00 p.m to 9:30 p.m. Earn more by display ads on blog with  Lithific Ads The setting is "Limit to 1 response" which means only one response per user. Once you filled the form there will be no chance to edit the responses or again fill a new form. If you open the form to fill again, the response would be like the image below. There is no way to edit or fill another form (Hurdle 1). I created a test form and checked "Edit after submit". Once this test form is filled I can change the previous response.  I clicked on the "Edit your  response"and intercepted the request.  I changed the form id and forwarded the request. I was able to see the form that was submitted. When I edited the form and submitted, a blank form was sent. (Hurdle 2). I analysed the requests f
1 comment
Read more

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500
Post a Comment
Read more

Facebook Messenger bug. React to any message on behalf of a Facebook Page

Reacting to Facebook Messages  An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc.  Reply to the messages . You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message. There is something for Facebook messenger too. You can reply to message by hovering over the message and there will be "Reply" option. Click on that.  Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened. Now I sent the request. There was an error that was thrown saying .. "The content is longer available".  Now my next adventure to try to find a bug in the Messaging continues. If you have a conversation with your girlfriend you can alway
1 comment
Read more