Respondly: Clickjacking - changing role

ID H1:7924
Type hackerone
Reporter smiegles
Modified 2014-04-21T10:17:11



I'm able to frame the page, when I make a frame with a opacity of 0 and a button at the position of the role switch I can change the role without the victim knowing that.

a POC screen :

a POC code : <iframe src="" style="width:100%;height:100%;margin:0;border:0;"></iframe>

Best regards,

Olivier Beg