bug-bounty432
google350
xss348
microsoft279
facebook245
apple171
exploit158
rce153
malware95
account-takeover94
cve87
csrf82
writeup78
bragging-post78
browser76
privilege-escalation66
react59
authentication-bypass57
cloudflare54
dos53
ssrf51
docker51
node49
aws47
access-control47
smart-contract45
phishing45
oauth45
ethereum43
defi42
supply-chain42
sql-injection41
web341
lfi37
idor34
smart-contract-vulnerability32
clickjacking31
web-application31
wordpress30
race-condition30
reverse-engineering30
info-disclosure29
vulnerability-disclosure29
cloud28
information-disclosure28
burp-suite28
solidity27
web-security27
cors26
responsible-disclosure26
0
6/10
Security researcher discovered and bypassed a clickjacking vulnerability on Binary.com's ticktrade subdomain by exploiting HTML5 sandboxed iframes with specific permissions (allow-modals, allow-scripts, allow-forms, allow-popups, allow-same-origin) to circumvent JavaScript frame-busting defenses.
clickjacking
html5
sandbox-bypass
frame-busting-bypass
x-frame-options
iframe-attack
web-application-security
bug-bounty
Binary.com
Binary Ltd.
ticktrade.binary.com
Ameer Assadi
0
6/10
vulnerability
A clickjacking vulnerability in Telegram's web client allowed attackers to iframe the application using sandboxed iframes to bypass frame-busting JavaScript, combined with blocking the app.css stylesheet to circumvent CSS-based visibility controls, enabling CSRF attacks and unauthorized account actions. The vulnerability was fixed by implementing server-side X-Frame-Options headers.
clickjacking
csrf
web-application
telegram
frame-busting
x-frame-options
sandbox-bypass
html5
client-side-security
mitm
Telegram
Mohamed A. Baset
Pavel Durov
Seekurity