Security researcher discovered and bypassed a clickjacking vulnerability on Binary.com's ticktrade subdomain by exploiting HTML5 sandboxed iframes with specific permissions (allow-modals, allow-scripts, allow-forms, allow-popups, allow-same-origin) to circumvent JavaScript frame-busting defenses.
Researcher exploited missing X-FRAME-OPTIONS headers on API endpoints disclosing sensitive user data (credit cards, emails, addresses) by embedding them in invisible iframes within a fake lottery page, using social engineering to trick users into copying and pasting their data, earning $1800 across multiple reports.
Clickjacking vulnerability in Google Docs where the absence of X-Frame-Options headers allows embedding the service in iframes, enabling attackers to trick users into activating voice typing and recording private conversations via microphone permissions.
Security researcher reports six clickjacking vulnerabilities across Google services (Play Store, Payments, Docs Picker, Sites) totaling $14,981.70, exploiting improper X-Frame-Options/CSP configurations and open redirects to enable unauthorized user actions like unintended subscription charges, account compromise, and private content exposure.
Firefox Find My Device service was vulnerable to clickjacking attacks due to missing X-Frame-Options headers and frame-busting techniques, allowing attackers to trick users into wiping devices, changing PINs, or locking phones. The vulnerability exploited the service's usability feature of auto-redirecting authenticated users to their device ID page, making the full URL predictable without needing to guess the device ID.
A clickjacking vulnerability in Microsoft Yammer was discovered by exploiting HTML5 sandboxed iframes to bypass the application's frame-busting JavaScript protections, allowing attackers to iframe sensitive pages and perform unauthorized actions on behalf of logged-in users. Microsoft patched the issue by implementing X-Frame-Options: SAMEORIGIN header.
A clickjacking vulnerability in Instagram's account management endpoint allowed attackers to iframe AJAX responses containing connected application tokens and steal user credentials. The vulnerability existed because the `__a=1` parameter exposed sensitive token data in JSON format without X-Frame-Options protection, despite the regular UI having protections in place.
A clickjacking vulnerability in Telegram's web client allowed attackers to iframe the application using sandboxed iframes to bypass frame-busting JavaScript, combined with blocking the app.css stylesheet to circumvent CSS-based visibility controls, enabling CSRF attacks and unauthorized account actions. The vulnerability was fixed by implementing server-side X-Frame-Options headers.
WhatsApp's web client was vulnerable to clickjacking attacks due to missing X-Frame-Options header and iframe busting techniques, allowing attackers to trick users into sending messages, creating groups, or making calls on their behalf. The vulnerability was reported to Facebook in January 2015 and subsequently fixed with an X-Frame-Options: Deny header.
A clickjacking vulnerability in Facebook's AJAX endpoint (/ajax/home/generic.php) lacked X-Frame-Options headers, allowing attackers to iframe and redress the UI to trick victims into adding attackers to secret groups or performing other unintended actions via form submission.
A writeup demonstrating how chaining self-XSS with clickjacking (UI redressing) via missing X-Frame-Options header can achieve session hijacking by stealing victim cookies through a drag-and-drop PoC that executes malicious JavaScript on the victim's browser.