Security researcher Prakhar Prasad has identified a potentially dangerous clickjacking vulnerability that affects the popular gaming and social media website ibibo.com, owned by one of the leading business-to-consumer platforms in India.
“On 19th June 2012, while browsing to the website, I noticed that the site does not use the X-FRAME-OPTIONS header to prevent framing of important pages which can be used to click-jack users of ibibo.com to perform different kinds of action on behalf of them,” he explained.
According to the expert, because the site is designed to allow framing, clickjacking attacks can be easily launched.
In a video proof-of-concept that he published, the researcher shows how a potential attacker could use a cleverly crafted game to trick the victim into publishing arbitrary content on his/her profile.
Prasad assumes that if the ibibo.com account would be linked to Facebook or Twitter, the status posted by the cybercriminal might be updated automatically on those social media sites as well.
The expert advises ibibo.com webmasters to restrict the framing of important webpages by using the X-Frame-Options HTTP response header that prevents browsers from rendering pages in a <frame> or <iframe>.
For regular users, he recommends the NoScript Firefox add-on, which is designed to stop clickjacking attacks.
“As a general security advice, people should not follow suspicious links or click on pages that look fishy, especially when sent or given by an unknown user/mailer,” he concludes.
Ibibo.com representatives have been contacted by the researcher, but he claims that so far they haven’t responded to his inquiry.
This is not the first time when security enthusiasts find vulnerabilities on the Ibibo website. A simple Google search reveals that in the past couple of years a number of flaws have been reported, including a couple of cross-site scripting (XSS) issues.
Update. Prasad has told Softpedia that the Ibibo has addressed the vulnerability on its website by adding the X-Frame-Options header. On the other hand, he has revealed that the security hole still exists on the mobile version of the site.