Clickjackings in Google worth 14981.7$

Raushan Raj
4 min readMar 6, 2018


Instead of going for Cross Site Scripting, Remote Code Execution, SQL Injection, etc. I decided to find clickjacking in google and facebook. Clickjacking is one of the lowest paid, mostly out of the scope and underestimated vulnerability by organisations.

What is Clickjacking ?

Unknowingly performing some sensitive actions on a webpage embedded(mostly in iframes) in any webpage with different or same domain/subdomain.

A. Clickjacking in Google’s play store payment page. 5000$

Steps to reproduce:
1. Attack url is is

2. When we add this url to <iframe src >there is an csp error :

“Refused to display ‘….docs:r1.100gb&usegapi=1&id=I2_1505755312332&parent=' in a frame because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’ https://* https://* https://editionsatplay.withgoogle.com"."

3. But “*” is allowed.

4. Go to and add some amount > 200 INR using google play recharge code.

5. Go to and create new site, there is an iframe option to insert. add URL given in step 1 to iframe src.

6. For POC i have included it in ( The page get embedded . Just by one click on subscribe ,amount (130 rs ) will get deducted and you will get subscribed to 100gb drive unknowingly.

Attack scenario:
Clickjacking on page lead to deduct amount from google play wallet and subscribe user to google drive upgrade

1.) Attacker will embed" in any

site like “" (here we can add javascript plugins)

2.) When user visit , and unknowingly click just one button (subscribe).Money will get deducted and he will be subscribed.

B. Clickjacking in using google’s open redirection vulnerability. 3133.7 $

Steps to reproduce:
1. <iframe height=”1200px” width=”1200px” src=”"></iframe>

2. The url in iframe src , will make “" as a referer to page.
3. Once there is valid referer , the X-Frame-Options Header Vanishes

Chrome / Firefox

Attack scenario:
It’s making whole pages/tabs clickjackable.
With few user interactions
1.) Attacker can close victim’s payment account
2.) Can add his account to manage victim’s account.
3.) Can Change payment profile details

C. Clickjacking in . 1337$

Steps to reproduce:
1. Go to youtube there is upload button and “Import your videos from Google Photos” , On clicking this video picker will open and url for the same is :

A.) There is a request parameter origin= and response header x-frame-options:ALLOW-FROM
B.) When we set origin= , there will be error page and x-frame-options:
C.) When we set origin= , there will be error page and x-frame-options:
D.)When we set origin= , PICKER appears and NO error page and x-frame-options: in response header
same is the case for

This means we can embed the video picker on

E.) : here i have uploaded the same in iframe.

Browser/OS: Firefox, Chrome

Attack scenario:
Clickjacking the button can convert user’s private/public videos to public on youtube

D. Clickjacking in Google Sites(New) Setting Page. 1337$

Clickjacking Lead to deleting the google sites (trashed)
Steps to reproduce:
1. As X-FRAME OPTIONS is Same-Origin , So the page can be embedded in my

2. Page is embedded to

Browser/OS: Firefox/Chrome

Attack scenario:
1.) Page contains some sensitive actions like : DELETING THE PAGE, RENAMING THE PAGE.

E. Clickjacking in Google’ site error page. 1337$

Steps to reproduce:
1. Create a Google site (new).Embed iframe with src=”"

2. Open a new browser, log in to Gmail and

3. In another tab open the site created in 1.( As the user is login. There is an option to change public profile pic (from albums, private photos inside google drive.Also user can upload from the system and set it as a profile pic)inside the iframe.

Browser/OS: chrome , firefox

Attack scenario:
Attacker can embed payload in google site. Just by few clicks , victim who is logged in to can unknowingly
1.) make his/her private pics public.
2.) Upload unwanted files in google drive
3.) Unknowingly subscribe to site changes subscription.
Embedding this page is like embedding the google drive picker.

F. Embedding unlisted youtube videos. 500$

Steps to reproduce:
1. Go to your video → advance settings — -> Distribution Options → embedding and uncheck it , so it means we can’t embed the video in any iframe
2. It can be embedded into any webpage <iframe src=”"></iframe>


Chrome / Linux

Attack scenario:
User instead of disallowing the video , can be embedded.

It was able to embed whole Youtube, Google Books. I have reported but both of them went duplicate. If any one want’s poc for duplicate one please ping me.

Next i started learning about CORS Vulnerability and was able to find cors issue in Google. Will disclose “CORS in google” reports soon.