📄

Report #27100

Report Date
December 20, 2023
Status
Closed
Payout

Clickjacking Vulnerability on https://basin.exchange/

Report Info

Report ID

#27100

Report type

Websites and Applications

Has PoC?

Yes

Target

https://basin.exchange

Impacts

  • Persistent content spoofing / text injection issues

Description

Hello Team,

I hope you are doing well. I found another security issue on https://basin.exchange/. See the details below

A clickjacking vulnerability has been identified on the https://basin.exchange/ platform. Clickjacking is a security vulnerability that allows an attacker to trick users into clicking on elements unknowingly, potentially leading to unintended actions being performed

Impact

Clickjacking vulnerabilities can lead to unauthorized actions, potential data exposure. This poses a risk to the integrity and security of user interactions on the basin.exchange platform

Fix

Implement measures to mitigate clickjacking vulnerabilities, such as adding the X-Frame-Options header to prevent the platform from being embedded within iframes or frames on malicious websites. Additionally, review and update the platform's frontend code to ensure that user interactions are properly validated and protected against clickjacking attacks

Steps to Reproduce

  1. Open https://www.clickjackingtest.com/ (My own web to test iframe)
  2. Enter the URL : https://basin.exchange/ and click on submit

Observe the web app https://basin.exchange/ is embedded in iframe

Reference

https://medium.com/metamask/metamask-awards-bug-bounty-for-clickjacking-vulnerability-9f53618e3c3a

https://hackerone.com/reports/591432

BIC Response

This is not a valid bug report because the reported behavior is not considered content spoofing. The website is open source and anyone can deploy it at any domain, let alone embed the existing one into another site as an iframe.

Due to these reasons, we are closing the submission and no reward will be issued.