About reporting security issue/vulnerability in your website
harsh_0707051
harsh0707051mail at gmail.com
Tue Sep 17 11:35:34 EDT 2013
*Respected Sir,*
I just found a security vulnerability in your site. I found
http://pidgin.im/security/ documentation regarding reporting
vulnerabilities to you so I am writing this email to you..
*Here are details on it :*
*Type of Issue : *Click Jacking
*Vulnerable URL :* All URLS on http://*.pidgin.im
*My Configuration :* I tested it with Mozilla Firefox 21.0 on Ubuntu 10.10
*Description :* It is one of the basic and easy vulnerability that most
people don't seem to know. Click Jacking always exists if site allows to
load its urls in <iframe> objects on other domains. It simply means one can
embed a url into <iframe> object on third party website and set properties
of iframe to be not visible to user and places some buttons over objects
loaded in <iframe>, so that when user clicks on visible (third party)
button it actually triggers both(third party website's button and <iframe>
object's) click event.
You should check out the http://javascript.info/tutorial/clickjacking which
describes and simulated a live example of click-jacking attack with example
code.
Currently I found it working with https://developer.pidgin.im/ and
http://pidgin.im
*How you can conform the vulnerability?*
1. Just create a web page with <iframe
src="http://pidgin.im/security<http://evernote.com/security/>"></iframe>
in the page and upload it to some new domain which should not be subdomain
of http://pidgin.im
2. Visit the page. You will be able to see that page is actually loading in
<iframe> object on third party domain which can be misused as click jacking.
( *If you want a quick testing without buying or registering on some other
domain you can use http://jsfiddle.net/ to run HTML code directly on third
party domain.*)
*How it can be misused ?*
1. Fraud clicks
2. Completing different actions which can be performed with single/multiple
clicks on website without knowing the user.*
*
*
*
*How to fix it?
*
There are several ways of fixing this vulnerability as suggested in
http://javascript.info/tutorial/clickjacking . For a reliable fix one
should apply "X-Frame-Options" for rejecting pages to load in <iframe>
objects.
*
*
*If you need any further help please let me know, I will be happy to help.
*
*
*
*I hope you will fix these security vulnerabilities as soon as possible. :)*
*Thank You.*
*---------------
Regards
Saurabh Chandrakant Nemade
*
Google's Acknowledgement :
http://www.google.com/about/appsecurity/hall-of-fame/distinction/
Apple's Acknowledgement : http://support.apple.com/kb/HT1318
Microsoft's Acknowledgement (2 times) :* *
http://technet.microsoft.com/en-us/security/cc308575*
*
Mahara's Acknowledgement :
https://wiki.mahara.org/index.php/Contributors#Security_researchers
Ebay's Acknowledgement :
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
Adobe's Acknowledgement :* *
http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
*
*
Red Hat's Acknowledgement : https://access.redhat.com/site/articles/66234*
*
Nokia's Acknowledgement :
http://www.nokia.com/global/security/acknowledgements/*
*
Bugsheet's Acknowledgement: http://www.bugsheet.com/bug-bounties
*
*
*harsh_0707051 at rediffmail.com
harsh0707051mail at gmail.com
*
*http://www.facebook.com/saurabh.nemade
https://twitter.com/SaurabhNemade
http://saurabhnemade.blogspot.in/
**----------------**
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130917/e5c39323/attachment.html>
More information about the security
mailing list