New issue
Advanced search Search tips

Issue 660964 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security:anti-click jacking

Reported by cmarkta...@gmail.com, Oct 31 2016 
VULNERABILITY DETAILS
When you log in on the url below you will see that there was a crsf token which can be used in brute force attack.

This creates a style element (CSS on the fly) to hide the body of the current page by default. Then if it doesn't detect click jacking, it deletes it. So, doing it this way, everyone who doesn't have a java script can see the page too, but they are not protected from click jacking. 

VERSION
Chrome Version: [54.0.2840.71 m 64bit] + [stable, beta, or dev]
Operating System: [Windows7 64bit]

REPRODUCTION CASE
https://oauth.binary.com/oauth2/authorize?app_id=1&l=EN
https://gc.kis.scr.kaspersky-labs.com/934C18A4-0ED7-7746-AC63-7FCB36F71775/main.js
https://www.binary.com/en/user/security/authorised_appsws.html
https://github.com/binary-com/binary-static/tree/master/src/images

Comment 2 by nparker@chromium.org, Nov 1 2016

Status: WontFix (was: Unconfirmed)
I agree, there is no bug here as I read it.
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 8 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment