Improper Restriction of Rendered UI Layers or Frames in filegator/filegator
Reported on
Aug 6th 2021
Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks users to perform unintended actions on vulnerable website, thinking they are doing those on attacker’s website. Clickjacking, also known as a "UI redress attack".
POC:
Please visit this website https://clickjacker.io/test?url=https://demo.filegator.io/
IMPACT:
Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.
Hey, not yet. The maintainers should have already been notified. Perhaps you can remind them on GitHub and refer to this report as they should already have access.
We are working on an automatic follow-up system, so that if maintainers miss the first email, they will be reminded again. I'm sure this will be valuable for situations like these.
