SEMrush: clickjacking to Semrush auth login

ID H1:318295
Type hackerone
Reporter karrrtik
Modified 2018-03-13T14:25:36


Description: Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on. this attack could be perform to semrush auth user because its direct popup for login.

Steps To Reproduce: Create HTML file containg following code: <iframe src=""></iframe> Execute the HTML file & you will see Single Sing On login page present trough the iframe.


Revealing confidential information(credentials) AND/OR taking control of their computer/account while clicking on seemingly innocuous web pages.

The hacker selected the UI Redressing (Clickjacking) weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:


Can a victim be tricked into unknowingly initiating a specific action? Yes

What specific action can the user be tricked into? semrush auth login could be hack