Unimplemented or Unsupported Feature in UI in spiral-project/ihatemoney

Valid

Reported on

Jul 18th 2021

💥 BUG

clickjacking bug.

💥 STEP TO REPRODUCE

I see there is no X-Frame-Options header present in response . So, it allow to load dashboard url in iframe which make clickjacking attack . Iframe will be completely hidden with opacity control so that victim dont suspect .

bellow code can be used as attack

<iframe src="https://ihatemoney.org/xxxx/" height="600px" width="800px" style="opacity:0.4">

💥 Impact

https://www.imperva.com/learn/application-security/clickjacking/
https://portswigger.net/web-security/clickjacking
https://owasp.org/www-community/attacks/Clickjacking
As this iframe is completely hidden , victim can suspect what happening in background and make clickjacking attack

Z-Old
2 years ago

Admin

Hey ranjit, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 2 years ago
ranjit-git
2 years ago

Researcher

Hello @maintainer can you plz validate the bug here?

spiral-project/ihatemoney maintainer validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
spiral-project/ihatemoney maintainer marked this as fixed with commit e626a1 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation