Details
-
Bug
-
Resolution: Fixed
-
Highest
Description
I would like to give some warnings about the profile and setting pages in bitbucket.org. It allows remote attackers to do some clickjacking which can be used for adding arbitrary tasks in users' task list. Why? Almost all of your page has missing X-FRAME-OPTIONS header.
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
Here is an example PoC video done by Aditya Gupta, Subho Halder and Dev Kar for Google Plus: http://www.youtube.com/watch?v=W0fTFHCxXBY (They got a hall of fame for this demo).
Vulnerability Reference: http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
Google and Facebook has patched this kind of simple exploit/vulnerability.
Solution: Add a header to explicitly describe the acceptable framing practices (if any) for this site.
For example, here’s what Facebook does:
X-Frame-Options: DENY
And that's why you cannot include Facebook anymore in an iframe .
Attached is my PoC screenshot too using the link https://bitbucket.org/repo/create.
Regards,
Jay Turla