Summary
YourSpotify version <1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking.
Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account.
Details
Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether.
YourSpotify currently does not prevent other pages from displaying it in an iframe. To prevent clickjacking it should set a Content Security Policy such as Content-Security-Policy: frame-ancestors 'none';.
See https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html for more information.
Proof of Concept
To create a clickjacking proof of concept, the Burp Clickbandit tool in Burp Suite Community Edition can be used. Using this tool, a proof of concept to delete the first account can be easily created.
Note: Because of SameSite cookie fallbacks, the created proof of concept only works reliably in Firefox.
The following screenshot shows the http://frontend.yourspotify.internal:3000/settings/admin being opened in an iframe. For demonstration purposes, it is not fully invisible, but shown with a very low opacity. The attacker page displays a red "click" button directly above the "delete account" button in the iframe to trick the user to click on it. After clicking on it, the iframe and button would move so that the "click" button would be positioned over the confirmation popup next.
You can also easily test for clickjacking by trying to embed YourSpotify into any other page using an iframe. This should be rejected for security purposes. As long as YourSpotify can be embedded into other websites, it is vulnerable to clickjacking.
Impact
When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify.
RagingCactus Reporter
Summary
YourSpotify version <1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking.
Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account.
Details
Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether.
YourSpotify currently does not prevent other pages from displaying it in an iframe. To prevent clickjacking it should set a Content Security Policy such as
Content-Security-Policy: frame-ancestors 'none';.See https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html for more information.
Proof of Concept
To create a clickjacking proof of concept, the Burp Clickbandit tool in Burp Suite Community Edition can be used. Using this tool, a proof of concept to delete the first account can be easily created.
Note: Because of
SameSitecookie fallbacks, the created proof of concept only works reliably in Firefox.The following screenshot shows the http://frontend.yourspotify.internal:3000/settings/admin being opened in an iframe. For demonstration purposes, it is not fully invisible, but shown with a very low opacity. The attacker page displays a red "click" button directly above the "delete account" button in the iframe to trick the user to click on it. After clicking on it, the iframe and button would move so that the "click" button would be positioned over the confirmation popup next.
You can also easily test for clickjacking by trying to embed YourSpotify into any other page using an iframe. This should be rejected for security purposes. As long as YourSpotify can be embedded into other websites, it is vulnerable to clickjacking.
Impact
When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify.