Top 25 Clickjacking Bug Bounty Reports

3 years ago 245
BOOK THIS SPACE FOR AD
ARTICLE AD

Cristian Cornea

(Photo by Umberto on Unsplash)

In this article, we will discuss the Clickjacking vulnerability, how to find one, and present 25 disclosed reports based on this issue.

Clickjacking is a vulnerability through which users are tricked (visually) to click some buttons or UI elements of the parent page, but in reality they are clicking something in the vulnerable web application, because that is being hidden behind the UI of the parent page. Basically the clicks of the users are hijacked for another action within a different page.

It can lead to unrestricted actions being performed, malware download, likejacking (for social media pages), and more.

There are multiple ways of testing if there is any clickjacking possibility within a web application. The one that I use mostly is the Burp Clickbandit feature of the Burp Suite tool.

Another option would be to use an iframe on localhost for the website, as following:

<iframe src="URL"></iframe>

Or, if you want to do it quickly, you can use the following website: https://www.lookout.net/test/clickjack.html

The solution to prevent against Clickjacking attacks is pretty straight-forward, just use the X-Frame-Options header. More you can find here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

#1

Title: Highly wormable clickjacking in player card

Company: Twitter

Bounty: $5,040

Link: https://hackerone.com/reports/85624

#2

Title: OAuth authorization page vulnerable to clickjacking

Company: Coinbase

Bounty: $5,000

Link: https://hackerone.com/reports/65825

#3

Title: Twitter Periscope Clickjacking Vulnerability

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/591432

#4

Title: Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/643274

#5

Title: Stealing User emails by clickjacking cards.twitter.com/xxx/xxx

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/154963

#6

Title: Clickjacking Periscope.tv on Chrome

Company: Twitter

Bounty: $560

Link: https://hackerone.com/reports/198622

#7

Title: ClickJacking on IMPORTANT Functions of Yelp

Company: Yelp

Bounty: $500

Link: https://hackerone.com/reports/305128

#8

Title: CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse.

Company: Yelp

Bounty: $500

Link: https://hackerone.com/reports/355859

#9

Title: Site-wide clickjacking at IE11

Company: New Relic

Bounty: $500

Link: https://hackerone.com/reports/614947

#10

Title: Bypass of the Clickjacking protection on Flickr using data URL in iframes

Company: Verizon Media

Bounty: $250

Link: https://hackerone.com/reports/7264

#11

Title: Make user buy items via clickjacking possibility

Company: Mail.ru

Bounty: $200

Link: https://hackerone.com/reports/471967

#12

Title: [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS

Company: Automattic

Bounty: $150

Link: https://hackerone.com/reports/953579

#13

Title: Modifying application settings via clickjacking on o2.mail.ru

Company: Mail.ru

Bounty: $150

Link: https://hackerone.com/reports/355774

#14

Title: Single Sing On — Clickjacking

Company: Semrush

Bounty: $150

Link: https://hackerone.com/reports/299009

#15

Title: Following links are vulnerable to clickjacking

Company: Semrush

Bounty: $150

Link: https://hackerone.com/reports/289246

#16

Title: Clickjacking Vulnerability via https://webagent.mail.ru leading to protection bypass for https://web.icq.com/ end point

Company: Mail.ru

Bounty: $150

Link: https://hackerone.com/reports/918923

#17

Title: Sensitive Clickjacking on admin login page.

Company: Shipt

Bounty: $100

Link: https://hackerone.com/reports/389145

#18

Title: self-xss with ClickJacking can leads to account takeover in Firefox

Company: Imgur

Bounty: $100

Link: https://hackerone.com/reports/892289

#19

Title: Clickjacking Vulnerability found on Yelp

Company: Yelp

Bounty: $100

Link: https://hackerone.com/reports/214087

#20

Title: Clickjacking at ylands.com

Company: BOHEMIA INTERACTIVE a.s

Bounty: $80

Link: https://hackerone.com/reports/405342

#21

Title: Modify account details by exploiting clickjacking vulnerability on refer.wordpress.com

Company: Automattic

Bounty: $75

Link: https://hackerone.com/reports/765355

#22

Title: Clickjacking on donation page

Company: WordPress

Bounty: $50

Link: https://hackerone.com/reports/921709

#23

Title: Clickjacking at https://www.mavenlink.com/ main website

Company: Mavenlink

Bounty: $50

Link: https://hackerone.com/reports/14631

#24

Title: Clickjacking

Company: Mavenlink

Bounty: $50

Link: https://hackerone.com/reports/21110

#25

Title: AWS S3 website can’t serve security headers, may allow clickjacking

Company: Legal Robot

Bounty: $40

Link: https://hackerone.com/reports/149572

#1

Title: Clickjacking in the admin page

Company: Rocket.Chat

Bounty: $0

Link: https://hackerone.com/reports/728004

#2

Title: Clickjacking on cas.acronis.com login page

Company: Acronis

Bounty: $0

Link: https://hackerone.com/reports/971234

#3

Title: Clickjacking In jobs.wordpress.net

Company: WordPress

Bounty: $0

Link: https://hackerone.com/reports/223024

#4

Title: Clickjacking in [exchangemarketplace.com]

Company: Shopify

Bounty: $0

Link: https://hackerone.com/reports/658217

#5

Title: Clickjacking wordcamp.org

Company: WordPress

Bounty: $0

Link: https://hackerone.com/reports/230581

#6

Title: URL is vulnerable to clickjacking

Company: MyCrypto

Bounty: $0

Link: https://hackerone.com/reports/712376

#7

Title: Clickjacking mercantile.wordpress.org

Company: WordPress

Bounty: $0

Link: https://hackerone.com/reports/264125

#8

Title: Get ip and Geo location any user via Clickjacking with inspectlet technology

Company: Acronis

Bounty: $0

Link: https://hackerone.com/reports/998555

#9

Title: Clickjacking on authorized page https://wakatime.com/share/embed

Company: WakaTime

Bounty: $0

Link: https://hackerone.com/reports/244967

#10

Title: Clickjacking — https://mercantile.wordpress.org/

Company: WordPress

Bounty: $0

Link: https://hackerone.com/reports/258283

Many thanks, and wish you a beautiful day!

Read Entire Article