Account Takeover with Clickjacking

This writeup is about how I was able to change other users account email with clickjacking. It was a private program on Bugcrowd.

The Profile page of the site allows the user to change their email and there was no X-Frame Header on that page so the profile page can be loaded in an iframe.

The profile page URL was http://example.com/mi-cuenta/mi-perfil/ the page contains a form with an email field which was prefilled with the current email, so out of curiosity I just added an email parameter in the URL to check if the specified email in the parameter is being inputted in the email field and yes it worked. http://example.com/mi-cuenta/mi-perfil?email=hacked@gmail.com

Now everything was set up, I just needed to load this URL in an iframe and make the user click on the Update button to change their email. So I created an HTML page for that to trick user into clicking that Update button.

I loaded the URL in an iframe and created a <div> tag with the text Click here and positioned it above the Update button, so now when the User will click on Click here the Update button below it will be clicked. Which will change the User Email.

This is the final look after setting the iframe opacity to 0, so now after clicking on the Click here text User email will be changed, and I can request a new password for the account with that email.

So that is it, Always try to look for opportunities, even small vulnerabilities can have a larger impact, Thanks for Reading.