Impact
Users who visit a profile and see a social website icon may fall victim to phishing and other dangerous actions due to a lack of validation, specifically clickjacking.
Example: If a user clicks on another user's Twitter icon, they expect to see that user's genuine Twitter account and not be redirected to a malicious or dangerous site.
Reproduction
- Log in and navigate to the Settings section (accessible via the Menu or Settings Link).
- Scroll down to the "Your Internet Presence" section and enter random site URLs for GitHub, Twitter, and LinkedIn.
- Save the changes, check your profile, and click on the social media icons.
- It can be confirmed that random links can be added to bonafide social icons, which could lead to Clickjacking.
Patches
Patches have been applied to the staging and production versions of the API
Workarounds
Not Applicable
Credits
This security concern was identified by Michal Biesiada.
Impact
Users who visit a profile and see a social website icon may fall victim to phishing and other dangerous actions due to a lack of validation, specifically clickjacking.
Example: If a user clicks on another user's Twitter icon, they expect to see that user's genuine Twitter account and not be redirected to a malicious or dangerous site.
Reproduction
Patches
Patches have been applied to the staging and production versions of the API
Workarounds
Not Applicable
Credits
This security concern was identified by Michal Biesiada.