You are viewing a single comment's thread from:

RE: Tabnabbing & Clickjacking on steemit.chat, Clickjacking on Steemit registration page

in #security6 years ago (edited)

Sure, I can change the title. I thought it needed some visibility.
Regarding the pr I guess I'm done working for free.. ;)

PS.

There's lack of certain features preventing users from shooting themselves in the foot

  • IMHO it's a lack of protection from attack vectors. The user could be tricked (trough social media, emails, etc) into a phishing page either through clickjacking of the chat login page (or steemit registration page) or tabnabbing - opening links in the chat and being presented with a fake login page when returning to the previous tab.

X-FRAME-OPTIONS on steem.chat is already set to DENY

  • steem.chat when I wrote the article was vulnerable to Clickjacking (see screenshot in my post), now it's not. I assume that X-FRAME-OPTIONS was added after reporting it? ¯_(ツ)_/¯
6 years ago in #security by
$0.00
    3 votes
    Reply 3
    Sort:  
  • Trending
    • [-]
     6 years ago  

    Sure, I can change the title.

    Thank you :-)

    Regarding the pr I guess I'm done working for free.. ;)

    That's where utopian can help :-)

    [-]
     6 years ago (edited) 

    Ok, interesting. I'll take a look thanks :)

    Wow, looking at your wallet (~400K $) it may be worth it.. :D

    [-]
     6 years ago (edited) 

    PS. utopian too is vulnerable to Clickjacking
    (now reported)


    utopian2.png