Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label UI redressing vulnerability. Show all posts
Vulnerability
Narendra Bhati UI redressing vulnerability Vulnerability

Critical Clickjacking vulnerability in Rediffmail


Narendra Bhati, an Information security researcher from Sheogan Rajasthan, has identified a critical UI redressing vulnerability in the Rediffmail website - a web based e-mail service provided by Rediff.com

Rediff is the Number one Indian web portal that offers news, information, entertainment, and shopping. Rediff.com was the first website domain name registered in India in 1996.

The website allows other websites to include the iframe of Rediffmail page

POC :
<iframe src="http://f5mail.rediff.com/ajaxprism/container#Inbox" width="1000" height="1000">

The vulnerability allows hacker to lure the victim into changing the personal information of victim.  It also allows to lure the victim into sending SMS to anyone.

Narendra has created a small POC code that lure users with "Online Prize Contest".  When a user copy&paste Gift code and click the submit button, it will update the user information. 

You can check his poc here:
http://pastebin.com/qrhZpdeX

The researcher discovered the vulnerability in january and sent notification to Rediffmail. Then as usual rediffmail not reply to him regarding to security- Then after 1 Month Narendra Decided to report it to EHN

Read more »
Subscribe to: Posts (Atom)