Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-7812

Bitbucket Allows Potential Clickjacking -- set X-Frame-Options (BB-8983)

    XMLWordPrintable

    Details

      Description

      I would like to give some warnings about the profile and setting pages in bitbucket.org. It allows remote attackers to do some clickjacking which can be used for adding arbitrary tasks in users' task list. Why? Almost all of your page has missing X-FRAME-OPTIONS header.

      Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

      Here is an example PoC video done by Aditya Gupta, Subho Halder and Dev Kar for Google Plus: http://www.youtube.com/watch?v=W0fTFHCxXBY (They got a hall of fame for this demo).

      Vulnerability Reference: http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html

      Google and Facebook has patched this kind of simple exploit/vulnerability.
      Solution: Add a header to explicitly describe the acceptable framing practices (if any) for this site.

      For example, here’s what Facebook does:

      X-Frame-Options: DENY

      And that's why you cannot include Facebook anymore in an iframe .

      Attached is my PoC screenshot too using the link https://bitbucket.org/repo/create.

      Regards,

      Jay Turla

        Attachments

          Activity

            People

            Assignee:
            6995b9ed1710 evzijst
            Reporter:
            shipcodez shipcod3
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: