| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADZXBOOY=m10SHEfMwVWe-cxGD7A02OAJfu1Y8_GOnu89GcViw@mail.gmail.com> Date: Thu, 17 Jan 2013 11:34:28 +0530 From: 7h3_J0k3r <j0k3r@...l.co.in> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Clickjacking in LinkedIn.com Clickjacking in LinkedIn : - Description : The "Remove Connections" section of LinkedIn was vulnerable to clickjacking. An attacker could perform a UI redress attack against this vulnerability by designing innocuous seeming web pages and trick a logged in user to remove some of his/her existing connections. - Bug Status - FIXED - Bug found on: 12th Sep. 2012 - Bug Reported on: 14th Sep. 2012 - Bug Fixed on : 11th Jan. 2013 - Bug Details : "Remove Connection" option in LinkedIn was found vulnerable to ClickJacking. - Impact : This would have potentially tricked a genuine user into clicking on something different to what the user perceives they are clicking on, thus potentially deleting some existing connections in their profile while clicking on innocuous looking web pages. - Fix : LinkedIn implemented the X-Frame-Options - POC : http://www.youtube.com/watch?v=MtfQtVal_DM&feature=youtu.be - Other links : http://jovynlobo.blogspot.in/2012/10/clickedin-clickjacking-vulnerability-in.html Cheers :} _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists