( SPOILER: most social media are affected by Tabnabbing! )
( SPOILER: some banking websites are affected by Clickjacking! )
The conclusion of both tests on https://steemit.com was that Steemit is quite robust. After that though I find out of the existence of https://steemit.chat and.. drumroll... it's vulnerable to both attacks!
As you can see in the screenshot, links posted in the channels use
target="_blank" in order to be opened in a new tab but no
rel attribute is present to block Tabnabbing.
If you want to exploit the vulnerability for testing purposes in your browser you can simply replace the href of an existing link posted in the chat to point at https://mycatnamedweb.github.io (eg. Chrome Developer Tools -> Edit as HTML).
As you can see, after clicking on the link and opening my Github Page, after a couple of seconds the Steemit chat page is replaced by a trivial phishing page (just a screenshot of the Facebook login page).
Clearly posting the link on the chat would have the same result.
This attack works on all major browsers.
As you can see in the screenshot, the current URL in the browser is facebook.com but the browser displays a full page login of steemit.chat. That's achieved simply using an iframe that points to https://steemit.chat/home. In this case the iframe has been added on client site but in a real scenario it would be injected on a vulnerable page (eg. XSS) or used in a page with a similar URL (eg. steemlt.com) and fake input fields would be overlapped over the real credentials fields.
PS. Also Steemit registration page https://signup.steemit.com is vulnerable to Clickjacking!
HOW TO FIX IT:
- Tabnabbing: on every anchor that uses
relattribute set to "noreferrer nofollow noopener" or in alterantive launch links in new tabs only through a temporary iframe.
- Clickjacking: your server has to return the header
DENYso that browsers will refuse to render your website inside an iframe.