Security researcher discovered and bypassed a clickjacking vulnerability on Binary.com's ticktrade subdomain by exploiting HTML5 sandboxed iframes with specific permissions (allow-modals, allow-scripts, allow-forms, allow-popups, allow-same-origin) to circumvent JavaScript frame-busting defenses.
A clickjacking vulnerability in Microsoft Yammer was discovered by exploiting HTML5 sandboxed iframes to bypass the application's frame-busting JavaScript protections, allowing attackers to iframe sensitive pages and perform unauthorized actions on behalf of logged-in users. Microsoft patched the issue by implementing X-Frame-Options: SAMEORIGIN header.
A clickjacking vulnerability in Telegram's web client allowed attackers to iframe the application using sandboxed iframes to bypass frame-busting JavaScript, combined with blocking the app.css stylesheet to circumvent CSS-based visibility controls, enabling CSRF attacks and unauthorized account actions. The vulnerability was fixed by implementing server-side X-Frame-Options headers.