Click Jacking in bingmapsportal

Hello everyone,

This blog post will be about my 2nd report to Microsoft.

This was a rather simple vulnerability but can be dangerous if used correctly.

In bingmapsportal the website is not returning the X-Frame-Options header.

What that header does is it prevents the browser from loading the website in an Iframe.

Ever tried loading Google in an Iframe ? Didn’t work right, This is the reason.

What happens if it loads in an Iframe? Well then it is vulnerable to clickjacking .

You may click on some random place in a malicious website and It can result in your account being disabled in this case.

Read Paulos Yibelo’s blog for more detailed write up on the same vulnerability which he found on Yahoo and Coinbase .

I reported this vulnerability in November 2015 and got a reply like this

A fix has been released for this issue. Microsoft would like to recognize your efforts on one of our public security acknowledgement pages for the month of November

Since my name is already there in November's list and they only add it once 😛 no matter how many you report, there is nothing much to do.

Thank you for reading.

Peace :D


Originally published at kmskrishna.wordpress.com on January 23, 2016.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store