Account Takeover with Clickjacking

Osama Avvan
Jun 19, 2019 · 2 min read

This writeup is about how I was able to change other users account email with clickjacking. It was a private program on Bugcrowd.

The Profile page of the site allows the user to change their email and there was no X-Frame Header on that page so the profile page can be loaded in an iframe.

The profile page URL was the page contains a form with an email field which was prefilled with the current email, so out of curiosity I just added an email parameter in the URL to check if the specified email in the parameter is being inputted in the email field and yes it worked.

Image for post
Image for post

Now everything was set up, I just needed to load this URL in an iframe and make the user click on the Update button to change their email. So I created an HTML page for that to trick user into clicking that Update button.

Image for post
Image for post

I loaded the URL in an iframe and created a <div> tag with the text Click here and positioned it above the Update button, so now when the User will click on Click here the Update button below it will be clicked. Which will change the User Email.

Image for post
Image for post

This is the final look after setting the iframe opacity to 0, so now after clicking on the Click here text User email will be changed, and I can request a new password for the account with that email.

So that is it, Always try to look for opportunities, even small vulnerabilities can have a larger impact, Thanks for Reading.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store