Summary
- The author was looking at old HackerOne reports and considered clickjacking something from the past, but it’s still possible to find new opportunities for this type of attack.
- They discovered a subdomain without X-Frame Options or CSP headers while reviewing old assets, which could allow an attack to frame the login page and steal credentials.
- This would give the attacker access to the internal portal and potentially allow them to carry out a wide range of attacks, including but not limited to: capturing user data, stolen IP, data leakage, and even deploying malware.
The author has shared a link to a more detailed account of the event, available only to Medium members.