Issue #7812 resolved

Bitbucket Allows Potential Clickjacking -- set X-Frame-Options (BB-8983)

Jay Turla
created an issue

I would like to give some warnings about the profile and setting pages in bitbucket.org. It allows remote attackers to do some clickjacking which can be used for adding arbitrary tasks in users' task list. Why? Almost all of your page has missing X-FRAME-OPTIONS header.

Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Here is an example PoC video done by Aditya Gupta, Subho Halder and Dev Kar for Google Plus: http://www.youtube.com/watch?v=W0fTFHCxXBY (They got a hall of fame for this demo).

Vulnerability Reference: http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html

Google and Facebook has patched this kind of simple exploit/vulnerability. Solution: Add a header to explicitly describe the acceptable framing practices (if any) for this site.

For example, here’s what Facebook does:

X-Frame-Options: DENY

And that's why you cannot include Facebook anymore in an iframe .

Attached is my PoC screenshot too using the link https://bitbucket.org/repo/create.

Regards,

Jay Turla

Comments (5)

  1. Jay Turla reporter

    Alright cool! :)

    LoL, I filed this 2 days ago in jira.atlassian.com under atlassian-bucket then Jed Wesley-Smith told me that I reported it in the wrong project and should re-open this in the Bitbucket bug tracker. I'm glad it has been noticed :)

  2. Log in to comment