You are viewing a single comment's thread from:

RE: Tabnabbing & Clickjacking on steemit.chat, Clickjacking on Steemit registration page

in #security6 years ago

I have a mixed feelings about this post.
It's great that you pay attention.
It's great that you are notifying us about issues you've found.
No doubt about that.
Now... the title is more like a clickbait attack about clickjacking attack ;-) Think about it again. It's not that "Steemit registration page and steemit.chat are unsafe", (that's why I'm restraining from upvote), lets be clear here:
There's lack of certain features preventing users from shooting themselves in the foot and given possible attack vectors that's really a minor flaw.
Of course such things should be fixed, there's no reason to make bad guys life easier.
X-FRAME-OPTIONS on steem.chat is already set to DENY, however, that looks like some more complex design flaw that might impact certain use case scenarios... hopefully not.
As for rel attribute, I think (not sure) that there was some regression here recently. Anyway I encourage you to make a PR against the rocket.chat repository through utopian (see my last post on that).

6 years ago in #security by
$1.95
  • Past Payouts $1.95
  • - Author $1.84
  • - Curators $0.11
3 votes
Reply 4
Sort:  
  • Trending
    • [-]
     6 years ago (edited) 

    Sure, I can change the title. I thought it needed some visibility.
    Regarding the pr I guess I'm done working for free.. ;)

    PS.

    There's lack of certain features preventing users from shooting themselves in the foot

    • IMHO it's a lack of protection from attack vectors. The user could be tricked (trough social media, emails, etc) into a phishing page either through clickjacking of the chat login page (or steemit registration page) or tabnabbing - opening links in the chat and being presented with a fake login page when returning to the previous tab.

    X-FRAME-OPTIONS on steem.chat is already set to DENY

    • steem.chat when I wrote the article was vulnerable to Clickjacking (see screenshot in my post), now it's not. I assume that X-FRAME-OPTIONS was added after reporting it? ¯_(ツ)_/¯
    [-]
     6 years ago  

    Sure, I can change the title.

    Thank you :-)

    Regarding the pr I guess I'm done working for free.. ;)

    That's where utopian can help :-)

    [-]
     6 years ago (edited) 

    Ok, interesting. I'll take a look thanks :)

    Wow, looking at your wallet (~400K $) it may be worth it.. :D

    [-]
     6 years ago (edited) 

    PS. utopian too is vulnerable to Clickjacking
    (now reported)


    utopian2.png