Clickjacking vulnerability on Google Custom Search Engine (CSE) settings page allows attackers to trick users into deleting their CSE instances through UI redressing by overlaying fake buttons on an embedded iframe. Google rejected the finding as not severe enough despite the ability to delete user data.
A clickjacking vulnerability in Instagram's account management endpoint allowed attackers to iframe AJAX responses containing connected application tokens and steal user credentials. The vulnerability existed because the `__a=1` parameter exposed sensitive token data in JSON format without X-Frame-Options protection, despite the regular UI having protections in place.
A clickjacking vulnerability in Facebook's AJAX endpoint (/ajax/home/generic.php) lacked X-Frame-Options headers, allowing attackers to iframe and redress the UI to trick victims into adding attackers to secret groups or performing other unintended actions via form submission.
Steam Inventory Helper Chrome extension v1.13.6 suffered from a DOM-based XSS in bookmarks.html combined with clickjacking via over-permissive web_accessible_resources, allowing arbitrary JavaScript execution in the extension's privileged context and hijacking of all authenticated websites. The vulnerability exploits jQuery's unsafe DOM manipulation APIs (html/append) paired with unsafe-eval CSP directive, weaponized through UI redressing to trick users into pasting XSS payloads.
A writeup demonstrating how chaining self-XSS with clickjacking (UI redressing) via missing X-Frame-Options header can achieve session hijacking by stealing victim cookies through a drag-and-drop PoC that executes malicious JavaScript on the victim's browser.