- Jan 24, 2011
- 9,378
X-Frame Options HTTP response header allows clickjacking
By changing the default search page to appear reversed on April Fools’ Day, Google created a clickjacking opportunity that could have been exploited by cybercriminals to influence the query results received by visitors of malicious websites.
The security problem emerged when Google switched to “com.google” generic top-level domain on April 1 with an iframe that allowed content to be displayed backwards.
The parameter that instructed the server to deliver the modified version of the page, however, also caused an important HTTP header (X-Frame-Options) to be omitted, allowing the search page to be included in an iframe on third-party websites.
As a result, attackers could have added an iframe with search settings page on their websites masquerading as a safe element, in order to trick visitors into triggering modifications in the Google Search options, thus carrying out a clickjacking attack.
Read more: http://news.softpedia.com/news/Goog...nk-Backfired-with-Security-Issue-478743.shtml