About reporting security issue/vulnerability in your website

harsh_0707051 harsh0707051mail at gmail.com
Tue Sep 17 11:35:34 EDT 2013

*Respected Sir,*
    I just found a security vulnerability in your site. I found
http://pidgin.im/security/ documentation regarding reporting
vulnerabilities to you so I am writing this email to you..

*Here are details on it :*
*Type of Issue : *Click Jacking
*Vulnerable URL :* All URLS on http://*.pidgin.im
 *My Configuration :* I tested it with Mozilla Firefox 21.0 on Ubuntu 10.10
*Description :* It is one of the basic and easy vulnerability that most
people don't seem to know. Click Jacking always exists if site allows to
load its urls in <iframe> objects on other domains. It simply means one can
embed a url into <iframe> object on third party website and set properties
of iframe to be not visible to user and places some buttons over objects
loaded in <iframe>, so that when user clicks on visible (third party)
button it actually triggers both(third party website's button and <iframe>
object's) click event.
You should check out the http://javascript.info/tutorial/clickjacking which
describes and simulated a live example of click-jacking attack with example

Currently I found it working with https://developer.pidgin.im/ and

*How you can conform the vulnerability?*
1. Just create a web page with <iframe
in the page and upload it to some new domain which should not be subdomain
of http://pidgin.im
2. Visit the page. You will be able to see that page is actually loading in
<iframe> object on third party domain which can be misused as click jacking.
( *If you want a quick testing without buying or registering on some other
domain you can use http://jsfiddle.net/ to run HTML code directly on third
party domain.*)

*How it can be misused ?*
1. Fraud clicks
2. Completing different actions which can be performed with single/multiple
clicks on website without knowing the user.*
*How to fix it?
There are several ways of fixing this vulnerability as suggested in
http://javascript.info/tutorial/clickjacking . For a reliable fix one
should apply "X-Frame-Options" for rejecting pages to load in <iframe>
*If you need any further help please let me know, I will be happy to help.
*I hope you will fix these security vulnerabilities as soon as possible. :)*

*Thank You.*
Saurabh Chandrakant Nemade
Google's Acknowledgement :
Apple's Acknowledgement : http://support.apple.com/kb/HT1318
Microsoft's Acknowledgement (2 times) :* *
Mahara's Acknowledgement :
Ebay's Acknowledgement :
Adobe's Acknowledgement :* *
Red Hat's Acknowledgement : https://access.redhat.com/site/articles/66234*
Nokia's Acknowledgement :
Bugsheet's Acknowledgement: http://www.bugsheet.com/bug-bounties
*harsh_0707051 at rediffmail.com
harsh0707051mail at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130917/e5c39323/attachment.html>

More information about the security mailing list