bug-bounty448
google354
xss341
microsoft283
facebook246
apple171
exploit163
rce160
malware102
account-takeover95
cve91
bragging-post84
csrf83
browser77
writeup76
privilege-escalation68
react60
authentication-bypass57
cloudflare54
dos53
node52
ssrf51
docker51
phishing50
aws48
access-control47
oauth45
smart-contract45
supply-chain44
ethereum43
defi42
web342
sql-injection41
lfi37
idor35
smart-contract-vulnerability32
vulnerability-disclosure32
web-application31
burp-suite31
reverse-engineering31
clickjacking31
race-condition31
info-disclosure31
wordpress30
cloud29
input-validation29
information-disclosure29
web-security27
solidity27
cors26
0
6/10
vulnerability
A clickjacking vulnerability in Telegram's web client allowed attackers to iframe the application using sandboxed iframes to bypass frame-busting JavaScript, combined with blocking the app.css stylesheet to circumvent CSS-based visibility controls, enabling CSRF attacks and unauthorized account actions. The vulnerability was fixed by implementing server-side X-Frame-Options headers.
clickjacking
csrf
web-application
telegram
frame-busting
x-frame-options
sandbox-bypass
html5
client-side-security
mitm
Telegram
Mohamed A. Baset
Pavel Durov
Seekurity
0
7/10
bug-bounty
Stored blind XSS vulnerability in Telegram iOS app allowing arbitrary HTML/JavaScript execution via unvalidated HTML files in webview, enabling device fingerprinting, user activity tracking, and IP geolocation. Successfully exploited by uploading malicious HTML file that executed JavaScript to extract navigator object data and communicate with attacker server.
stored-xss
blind-xss
ios
webview
telegram
whatsapp
html-injection
device-fingerprinting
user-tracking
information-disclosure
bug-bounty-writeup
Telegram
WhatsApp
Facebook
CVE-2018-UNKNOWN
omespino
iPhone 6
iPhone 7
iOS 11.2.5
iOS 11.2.6
Telegram iOS 4.7.1