I find it ironic that the wikipedia page on clickjacking [0] lists exactly this exploit as the example, and yet noone has reported it or fixed it in all this time.
Unfortunately x-frame-options does not always fix these kinds of problems. If you can get the user to click more than once on your page, you can open a tab in the background on the first click (google for popunder.js), and if you can predict click #2 a split second before it happens (e.g. zalewski's game PoC), you can bring the popunder to the front and reposition it right under their cursor.
(note: amazon could fix this by detecting when opener is xdomain and requiring some minimum number of mouseover events in the page before the button is clickable).
Clickjacking is especially scary because most web apps are probably vulnerable. The default httpd.conf that ships with most package managers doesn't include the X-Frame-Options header. (Perhaps it should.)
Based on my testing, it appears Rails does not add that header either. Do any other frameworks?
It appears we're each partially right: If you generated a new Rails app after August 2012, you get the header by default. If you generated the app before August 2012, you do not get the header by default.
So PSA: Updating Rails in an existing app does not cause this header to be added. You must add it yourself in application.rb if it's not already there. See garethadams' footnote #2 above.
Most frameworks/servers don't do that. It's bad design of web specs, not a bug actually. Developers don't have to remember about it... And yeah, I added default_headers to Rails a while ago.
That sucks. It makes responsible disclosure seem marginally less attractive without any type of reward. I am sure most people would either do it or not, but there's probably some on the fence. And some people might actually start looking knowing there was a legitimate reward.
There's a bit of back and forth between intrinsic and extrinsic motivation, where an external reward can reduce intrinsic motivation more than it increases extrinsic motivation. That is, if the reward is known but small, someone could go form, "I'll submit this since I want to help them out," to, "I'm not going to work for below minimum wage!"
I have no idea. Adding a single HTTP header seems simple to me, but I have no idea what their architecture looks like. It took them an entire month to send me a "thanks, we're working on it" email and that was only after I followed up with them.
Probably because you can't do much by exploiting this security hole besides annoying people, so there's little incentive to do so. If you can get me to click on an item and buy it, the item will be shipped to my physical address, not yours. Even if was a product you were selling, I could return it for a refund and your account would be charged back. It doesn't seem like a very profitable scheme.
Sorry about that. I tried to push the POC code to my blog and forgot that Heroku doesn't like the version of Wordpress I'm running. Should be back up now.
> <azonenberg> wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog
That's an old joke and obviously an exaggeration, but it's not horribly far off. Wordpress instances fall to attack constantly, due to a combination of bugs in the base application itself (not terribly common) and extensions (not just common -- CONSTANT). In terms of breakability, I would rank Wordpress in the top 1% of applications without a second thought.
If you believe you're aware of any security issues with WordPress core itself, Automattic is running a Bug Bounty program over on HackerOne here: https://hackerone.com/automattic/ -- responsible disclosure, bug bounties, and making the web a safer place is awesome.
So you are implying that there are no honest people out there, and on top of that everyone that finds a vulnerability has the guts and resources to make money off a 0day bug?
What's so hard in making money off 0days? Especially in this day and age of SilkRoute clones and Cryptocurrencies.
I was under the impression that a big reason why 0day exploits are not popping up all over is because the folks who discover them can now sell them (for way more than any bounty program), whereas earlier the only way to monetize was to use them as advertisement for selling your skills. Instant payment vs Contractual jobs. I'd say now the 0day vulns end up in the hands of professionals (criminal networks/state actors) rather than script kiddies.
This hack is classic clickjacking. I created a transparent iframe containing a product page on amazon.com that had been carefully positioned so when you think you’re clicking on my page, you’re actually clicking the “Buy now” button on their site instead. Here’s the link to the code for the no longer working proof of concept: https://gist.github.com/joshfraser/819308dbae43ff70d892
If the fix was that easy, it would have been implemented by now. Doing so would prevent some useful behavior. For instance, an embeddable Facebook like button needs to run in an iframe and uses facebook.com cookies to be able to associate the like with the user.
I'm a big fan of your research. I debated whether to go with a more specific title like "Clickjacking with one click purchases on Amazon" but decided to keep it simple for people unfamiliar with the concept.
> I resisted the temptation to use the exploit to send myself a million dollars worth of free Amazon gift cards
Sorry, but that's not how Amazon's "Buy It Now" option works. It sends the item to the default address on file. So it would not be possible for the clickjacker to get it mailed to their own address.
You can send a gift card to an email address that you specify. I can't seem to do it now, but I remember being able to pre-populate the email address using a GET variable:
Yes, but even better, you could list your own products on Amazon and get paid whatever amount you want. Of course, there's no way to stop the email receipts from Amazon, but you might be able to get away with it for short period of time.
[0]: https://en.wikipedia.org/wiki/Clickjacking#Examples
Edit: This example was added to the wiki page in December 2009. Relevant link: https://en.wikipedia.org/w/index.php?title=Clickjacking&oldi...