I Found Clickjacking on Google CSE. Is This Important?

While i was testing i found that cse.google.com is vulnerable to clickjacking so i checked if the settings page is vulnerable or not and it was vulnerable so now this has a risk! The attacker could delete someone’s CSE.

Summary: Attacker can delete victim’s CSE.

Steps to reproduce:

  1. Go to https://cse.google.com/
  2. It can be embedded into any webpage.
  3. Attacker may manipulate HTML template so it can delete victim’s CSE.

I wrote an exploit code for clickjacking and here is the exploit code:

By using Clickjacking technique, an attacker can make someone unconsciously delete their CSE.

About how attacker can make someone unconsciously delete their CSE, you can check my video POC here:

Enough about the explanation.

Okay, the problem has just begun. My findings above, in my opinion are valid bugs. Why? Because the attacker can delete someone’s data (CSE), isn’t this a bug? But the response I got was very surprising.

The part that makes me confused is, how is this not a bug? Because in my head it is clear that I can delete other people’s data.

What do you think? Is this a bug? Or is it just me who overestimates this as a bug?

This article already published in dev.to.

Mukhammad Akbar | ♠️ Not live by rules like those ♠

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store