The official Telegram web-client that allows its users to access messenger account over desktop’s web browser is vulnerable to clickjacking web application vulnerability.
Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Telegram that could allow an attacker to change sensitive information of a Telegram user, including password and the recovery e-mail. [Watch Video Demo]
Egyptian security researcher Mohamed A. Baset told The Hacker News about a flaw in Telegram that could allow an attacker to change sensitive information of a Telegram user, including password and the recovery e-mail. [Watch Video Demo]
"Telegram web client is not protecting itself from clickjacking with the typical X-Frame-Options header but uses a JS frame busting technique to prevent the website to be iframed," Mohamed says.However, by exploiting one of HTML5 Features, Mohamed was able to open the Telegram account’s settings page with a sandboxed iframe to prevent redirecting to top window, which also allows him to execute cross-site request forgery (csrf) vulnerability on the web-client.
No comments:
Post a Comment