Vulnerability Report [Click-Jacking]
Whitehat Security
Hi Team.
I am an security researcher and I have found a bug in your website https://ontobee.org
The details of it are as follows:-
CLICK-JACKING.
Description :
Click-jacking, also known as a "UI redress attack" is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of style-sheets, I-frames, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
Impacts:
1. Tricking a user into unknowingly clicking on things and then gaining access to his account
2. An attacker can gain access to the credentials of users and use those credentials for booking and payment.
3. Adding events to their profile they are interested in attending.
4. editing their star rating on reviews
5. Using their bank account details to books in hotels whereas the bill will go to their bank account.
6. Bookmarking unwanted business.
POC:
<html>
<head>
</head>
<body>
<h1>Click-Jacking In Your Site</h1>
<iframe src=" https://ontobee.org "height="800" width="1300">
</iframe>
</body>
</html>
Waiting for your reply.
Regards
POC
Whitehat Security
I hope you're doing well. I wanted to follow up on the vulnerability I reported. I understand that security assessments and fixes take time, and I truly appreciate your team's efforts in addressing these issues.
Please confirm your interest if you are willing to fix the issue to avoid further follow-ups. If you have already fixed the issue, please let us know, and we will proceed with retesting.
As a security researcher, I responsibly reported this vulnerability to help secure your platform. In recognition of my efforts, I expect a reward, which can be sent via PayPal or bank transfer. I would appreciate an update on this discussion as well.
Looking forward to your response.
Best regards
Whitehat Security
I’m following up once more regarding the vulnerability report. We’re happy to know you’ve received it and that it’s contributing to your security improvements.
As mentioned earlier, we would also appreciate a reward for the vuln, granted purely at your discretion. This doesn’t require a bug bounty program — it’s simply a way to acknowledge the effort put into reporting it ethically.
Thank you for your time and acknowledgment.
Best regards
Whitehat Security
I hope everything is going well on your end. I wanted to politely follow up regarding the vulnerability we reported earlier.
While our main goal is to help improve your security posture, we would also welcome a reward for the vuln, should you decide to grant one. We fully understand this is not an obligation and depends entirely on your room and discretion.
Your acknowledgment and appreciation mean a lot to us.
Best regards