You are viewing a single comment's thread from:

RE: Tabnabbing & Clickjacking on steemit.chat, Clickjacking on Steemit registration page

in #security7 years ago (edited)

Sure, I can change the title. I thought it needed some visibility.
Regarding the pr I guess I'm done working for free.. ;)

PS.

There's lack of certain features preventing users from shooting themselves in the foot

  • IMHO it's a lack of protection from attack vectors. The user could be tricked (trough social media, emails, etc) into a phishing page either through clickjacking of the chat login page (or steemit registration page) or tabnabbing - opening links in the chat and being presented with a fake login page when returning to the previous tab.

X-FRAME-OPTIONS on steem.chat is already set to DENY

  • steem.chat when I wrote the article was vulnerable to Clickjacking (see screenshot in my post), now it's not. I assume that X-FRAME-OPTIONS was added after reporting it? ¯_(ツ)_/¯
Sort:  

Sure, I can change the title.

Thank you :-)

Regarding the pr I guess I'm done working for free.. ;)

That's where utopian can help :-)

Ok, interesting. I'll take a look thanks :)

Wow, looking at your wallet (~400K $) it may be worth it.. :D

PS. utopian too is vulnerable to Clickjacking
(now reported)


utopian2.png