Unimplemented or Unsupported Feature in UI in spiral-project/ihatemoney

Valid

Reported on

Jul 18th 2021


ūüí• BUG

clickjacking bug.

ūüí• STEP TO REPRODUCE

I see there is no X-Frame-Options header present in response . So, it allow to load dashboard url in iframe which make clickjacking attack . Iframe will be completely hidden with opacity control so that victim dont suspect .

bellow code can be used as attack

<iframe src="https://ihatemoney.org/xxxx/" height="600px" width="800px" style="opacity:0.4">

ūüí• Impact

https://www.imperva.com/learn/application-security/clickjacking/
https://portswigger.net/web-security/clickjacking
https://owasp.org/www-community/attacks/Clickjacking
As this iframe is completely hidden , victim can suspect what happening in background and make clickjacking attack

Ziding Zhang
4 months ago

Admin


Hey ranjit, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 4 months ago
ranjit-git
3 months ago

Researcher


Hello @maintainer can you plz validate the bug here?

A spiral-project/ihatemoney maintainer validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
A spiral-project/ihatemoney maintainer confirmed that a fix has been merged on e626a1 2 months ago
The fix bounty has been dropped