Researcher Nikhil P. Kulkarni had sent the company 4-5 POCs before they took him seriously
Security researcher Nikhil P. Kulkarni has identified a clickjacking (User Interface redress) vulnerability in Microsoft’s social media website Socl (So.cl). The expert told the company of the flaw back in August, but they addressed it only a few days ago.“Social Networking sites today are accessed by millions of internet users as it is the best way to stay connected with their near and dear ones. But if they aren’t careful, then they might fall prey for various scams,” the researcher told Softpedia in an email.
“And one such scam is Clickjacking/UI Redress Attacks, where a user can easily be fooled by the hackers. Hackers can get victims to click on their links by disguising them as content that the victim may find interesting such as free gifts or ‘click to win million dollar’ reward scams.”
Kulkarni explains that attackers can trick victims into performing certain actions by hiding their malicious pages on top of legitimate pages in a transparent layer.
“The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page; therefore, the attackers can trick the victims into performing actions which the victim never wanted to perform,” the expert noted.
The worst part about these types of clickjacking attacks is that the cybercriminals that launch them are difficult to track down as the victim is genuinely authenticated on the hidden page.
Initially, after being notified of the vulnerability, Microsoft told the researcher that it was not a security issue. Despite the fact that he had later provided them with 4-5 proof-of-concepts, they still rejected his reports.
They have only recently realized that this really was a flaw that should be addressed.
Kulkarni says that Microsoft is doing a fairly good job of addressing vulnerabilities in Socl, but he highlights that it takes the company a lot of time because of the large number of bug reports it receives.