Respondly: Clickjacking - changing role

2014-04-17T20:32:11
ID H1:7924
Type hackerone
Reporter smiegles
Modified 2014-04-21T10:17:11

Description

Hi,

I'm able to frame the page, when I make a frame with a opacity of 0 and a button at the position of the role switch I can change the role without the victim knowing that.

a POC screen : http://prntscr.com/3ay0mh

a POC code : <iframe src="https://app.respond.ly" style="width:100%;height:100%;margin:0;border:0;"></iframe>

Best regards,

Olivier Beg