Clickjacking
Report ID
#28596
Report type
Websites and Applications
Has PoC?
Yes
Target
Impacts
- Taking down the application/website requiring manual restoration
Bug Description
A clickjacking vulnerability has been identified on the Beanstalk https://basin.exchange/ . Clickjacking is a security vulnerability that allows an attacker to trick users into clicking on elements unknowingly, potentially leading to unintended actions being performed.
Fix
Implement measures to mitigate clickjacking vulnerabilities, such as adding the X-Frame-Options header to prevent the platform from being embedded within iframes or frames on malicious websites. Additionally, review and update the platform's frontend code to ensure that user interactions are properly validated and protected against clickjacking attacks.
Impact
Clickjacking vulnerabilities can lead to unauthorized actions, potential data exposure, or manipulation of user accounts. This poses a risk to the integrity and security of user interactions on the Beanstalk
Proof of concept
- Open https://www.clickjackingtest.com/ (My own web to test iframe)
- Enter the URLÂ https://basin.exchange/Â and click on submit
Observe the web app is embedded in iframe
Let me know if you want further information
Immunefi Response
Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
- claimed impact by the whitehat is in scope for the bug bounty program
- claimed asset by the whitehat is in scope for the bug bounty program
- claimed severityÂ
is not in scope
 for the bug bounty programSince this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:
- check if whitehat's claims are factually correct
- check PoC to understand the validity
- assess the submission's severity
These activities are the project's responsibility.
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.