Click Jacking in bingmapsportal

Hello everyone,

This blog post will be about my 2nd report to Microsoft.

This was a rather simple vulnerability but can be dangerous if used correctly.

In bingmapsportal the website is not returning the X-Frame-Options header.

What that header does is it prevents the browser from loading the website in an Iframe.

Ever tried loading Google in an Iframe ? Didn’t work right, This is the reason.

What happens if it loads in an Iframe? Well then it is vulnerable to clickjacking .

You may click on some random place in a malicious website and It can result in your account being disabled in this case.

Read Paulos Yibelo’s blog for more detailed write up on the same vulnerability which he found on Yahoo and Coinbase .

I reported this vulnerability in November 2015 and got a reply like this

A fix has been released for this issue. Microsoft would like to recognize your efforts on one of our public security acknowledgement pages for the month of November

Since my name is already there in November's list and they only add it once 😛 no matter how many you report, there is nothing much to do.

Thank you for reading.

Peace :D


Originally published at kmskrishna.wordpress.com on January 23, 2016.