This blog post reports on a ClickJacking vulnerability in Google Drive, which has not been fixed in more than 5 months. I will discuss how this vulnerability was discovered in a semi-automated fashion, what caused the vulnerability and how Google should/could have fixed it.
In an attempt to live up to Mr. Curtis “50 Cent” Jackson’s life guidance (Get Rich Or Die Tryin’), I wanted to come up with something that automated much of the checks I did when hunting bugs manually. One of these checks is to verify whether web pages send out the correct security headers. A header that should be on every web page containing a form which initiates a state-change, is
X-Frame-Options. By sending out this header on a web page, a website operator can protect his users against ClickJacking vulnerabilities.
X-Frame-Options is not the only mechanism to protect against ClickJacking, the
frame-ancestors directive of CSP does this as well.