June 20, 2012 · iBiBo ClickJacking

IBIBO Clickjacking Vulnerability

In this blog post, I'll write about a clickjacking vulnerability discovered by me.

Introduction

IBIBO is a social networking and gaming website, currently one of the largest "Indian" social networking website. At the time of writing its Alexa Rank was 1,198 globally and 121 in India.

On 19th June 2012, while browsing to the website, I noticed that the site does not use the X-FRAME-OPTIONS header to prevent framing of important pages which can be used to click-jack users of ibibo.com to perform different kinds of action on behalf of them.

Now let's talk something about click-jacking.

What is Clickjacking

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. - Wikipedia

As mentioned earlier ibibo.com allows framing of its
pages without any restriction, this can easily facilitate in clickjacking attacks.

Video Demo

In the video below, it can be seen clearly a user plays a specially crafted game, which is in fact the clickjacking page. After completing the game, when he tries to check the score nothing happens but in the background his ibibo account automatically gets updated using the clickjacking exploit.

If the account was linked to Facebook and Twitter they will also be updated automatically. (I've not tested though)

Prevention

Prevention can be only done by ibibo.com by restricting framing of crucial pages by X-FRAME-OPTIONS HTTP header on Server Side.

For general users a temporary solution can be made by using the NoScript Firefox Add-on. which provides built-in support for clickjacking/likejacking attacks.

As a general security advice, people should not follow suspicious links or click on pages that look fishy, specially when sent or given by an unknown user/mailer.

Thanks for reading, have a good day