Firefox Find My Device service was vulnerable to clickjacking attacks due to missing X-Frame-Options headers and frame-busting techniques, allowing attackers to trick users into wiping devices, changing PINs, or locking phones. The vulnerability exploited the service's usability feature of auto-redirecting authenticated users to their device ID page, making the full URL predictable without needing to guess the device ID.
A clickjacking vulnerability in Microsoft Yammer was discovered by exploiting HTML5 sandboxed iframes to bypass the application's frame-busting JavaScript protections, allowing attackers to iframe sensitive pages and perform unauthorized actions on behalf of logged-in users. Microsoft patched the issue by implementing X-Frame-Options: SAMEORIGIN header.
A clickjacking vulnerability in Telegram's web client allowed attackers to iframe the application using sandboxed iframes to bypass frame-busting JavaScript, combined with blocking the app.css stylesheet to circumvent CSS-based visibility controls, enabling CSRF attacks and unauthorized account actions. The vulnerability was fixed by implementing server-side X-Frame-Options headers.