#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Clickjacking | Breaking Cybersecurity News | The Hacker News

New Unpatched Bug Could Let Attackers Steal Money from PayPal Users

New Unpatched Bug Could Let Attackers Steal Money from PayPal Users

May 23, 2022
A security researcher claims to have discovered an unpatched vulnerability in PayPal's money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. Clickjacking, also called UI redressing, refers to a technique wherein an unwitting user is tricked into clicking seemingly innocuous webpage elements like buttons with the goal of downloading malware, redirecting to malicious websites, or disclose sensitive information. This is typically achieved by displaying an invisible page or HTML element on top of the visible page, resulting in a scenario where users are fooled into thinking that they are clicking the legitimate page when they are in fact clicking the rogue element overlaid atop it. "Thus, the attacker is 'hijacking' clicks meant for [the legitimate] page and routing them to another page, most likely owned by another application, domain, or both," security researcher h4x0r
Fake Clickjacking Bug Bounty Reports: The Key Facts

Fake Clickjacking Bug Bounty Reports: The Key Facts

May 16, 2022
Are you aware of fake clickjacking bug bounty reports? If not, you should be. This article will get you up to speed and help you to stay alert. What are clickjacking bug bounty reports? If we start by breaking up the term into its component parts, a bug bounty is a program offered by an organization, in which individuals are rewarded for finding and reporting software bugs. These programs are often used by companies as a cost-effective way to find and fix software vulnerabilities, thereby improving the security of their products. They also help to build goodwill with the security community.  For the bounty hunters (or white hat hackers), they have an opportunity to earn money and recognition for their skills.  Clickjacking is a malicious technique used to trick users into clicking on something that they think is safe, but is actually harmful. For example, a hacker could create a fake button that looks like the "like" button on a social media site. When users click on it,
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
Dozens of Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme

Dozens of Android Apps for Kids on Google Play Store Caught in Ad Fraud Scheme

Mar 24, 2020
More than 50 Android apps on the Google Play Store—most of which were designed for kids and had racked up almost 1 million downloads between them—have been caught using a new trick to secretly click on ads without the knowledge of smartphone users. Dubbed " Tekya ," the malware in the apps imitated users' actions to click ads from advertising networks such as Google's AdMob, AppLovin', Facebook, and Unity, cybersecurity firm Check Point Research noted in a report shared with The Hacker News. "Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on)," the researchers said. While the offending apps have been removed from Google Play, the find by Check Point Research is the latest in an avalanche of ad fraud schemes that have plagued the app storefront in recent years, with malware posing as optimizer an
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
QRLJacking — Hacking Technique to Hijack QR Code Based Quick Login System

QRLJacking — Hacking Technique to Hijack QR Code Based Quick Login System

Jul 28, 2016
Do you know that you can access your WeChat, Line and WhatsApp chats on your desktop as well using an entirely different, but fastest authentication system? It's SQRL , or Secure Quick Response Login, a QR-code-based authentication system that allows users to quickly sign into a website without having to memorize or type in any username or password. QR codes are two-dimensional barcodes that contain a significant amount of information such as a shared key or session cookie. A website that implements QR-code-based authentication system would display a QR code on a computer screen and anyone who wants to log-in would scan that code with a mobile phone app. Once scanned, the site would log the user in without typing in any username or password. Since passwords can be stolen using a keylogger, a man-in-the-middle (MitM) attack, or even brute force attack, QR codes have been considered secure as it randomly generates a secret code, which is never revealed to anybody else.
1 Million Computers Hacked for making big Money from Adsense

1 Million Computers Hacked for making big Money from Adsense

May 17, 2016
A group of cyber criminals has infected as much as 1 Million computers around the world over the past two years with a piece of malware that hijacks search results pages using a local proxy. Security researchers from Romania-based security firm Bitdefender revealed the presence of this massive click-fraud botnet, which the researchers named Million-Machine Campaign. For those unaware, Botnets are networks of computers infected with malware designed to take control of the infected system without the owner's knowledge, potentially being used for launching distributed denial-of-service (DDoS) attacks against websites. The malware in question is known as Redirector.Paco that alone has infected over 900,000 machines around the world since its release in 2014. The Redirector.Paco Trojan infects users when they download and install tainted versions of popular software programs, such as WinRAR, YouTube Downloader, KMSPico, Connectify, or Stardock Start8. Once infected, Paco m
Sick Facebook Scammers Exploit Robin Williams' Suicide

Sick Facebook Scammers Exploit Robin Williams' Suicide

Aug 16, 2014
Scammers spare no incident to target as many victims as possible, and this time they are exploiting the tragic death of comic actor Robin Williams by offering the fake Facebook videos proclaiming a Goodbye video message that Williams made before his death. According to Symantec, this fake Facebook post, which you may see on your walls shared by your Facebook friends, was created by scammers looking to profit on the actor's death. The bogus post claims to be a Goodbye video of Robin Williams making his last phone call before committing suicide earlier this week. Scammers and cyber criminals often use major headline news stories to lure in victims. You may fall victim to this video as the news claims to have come from the most popular and reputed BBC News website. " There is no video. Users that click on the link to the supposed video are taken to a fake BBC News website. As with many social scams, users are required to perform actions before they can view the content. In t
Facebook 'Watch naked video of friends' malware scam infects 2 million people

Facebook 'Watch naked video of friends' malware scam infects 2 million people

Mar 08, 2014
We have seen a lot of Facebook malware and virus infections spreading through friends list, and this time a new clickjacking scam campaign is going viral on Facebook. Hackers spam Facebook timeline with a friend's picture and " See (Friend)'s naked video," or "(Friend Name's) Private Video. " The Picture appears to be uploaded by a friend and definitely, you might want to see some of your Facebook friends naked, But Beware!  If you get curious and click, you will be redirected to a malicious website reports that your Flash Player is not working properly and needs to be re-installed. But in actuality it will install a malware in your system and once approved, several disguised thing can happen to you. It further installs a malicious  browser extension to spread the scam and steal users' photos. " When the link is clicked, users are sent to a very realistic-looking mockup of a YouTube page, where the hackers will try to imme
LinkedIn Clickjacking vulnerability tricks users to spam links

LinkedIn Clickjacking vulnerability tricks users to spam links

Jul 13, 2013
A Clickjacking vulnerability existed on LinkedIn that allowed an attacker to trick users for sharing and posting links on behalf of victim. Narendra Bhati(R00t Sh3ll), Security Analyst at Cyber Octet informed us about LinkedIn Bug.  Clickjacking , also referred as "User Interface redress attack" is one type of website hacking technique where an attack tricks a web user into clicking a button, a link or a picture, etc. that the web user did not intend to click, typically by overlaying the web page with an iframe. Flaw allows attacker to open LinkedIn page  https://www.linkedin.com/shareArticle? , used to share links and articles summary, in a hidden iframe. Proof of Concept:  1.) Semi Transparent Iframe Layers : 2.) Fully activated page with zero Transparency ifarme: Video Demonstration: Many countermeasures have been described that help web users protect against clickjacking attacks. X-FRAME-OPTIONS is a browser-based defense method. In order to bring the X-FR
Google Chrome Inbuilt Flash player allows Webcam Hacking

Google Chrome Inbuilt Flash player allows Webcam Hacking

Jun 18, 2013
No longer limited to Hollywood movies about cybercrime, webcam hacking has stealthily and aggressively broken into average households  " I've heard a hacker could access my webcam and watch me in front of my computer. Could this really happen? " YES, other than using a Remote administration tools, it is also technically possible using new Flash based flaw in Google Chrome. According to a recent report by security researchers, there's a big problem in Google Chrome's integrated Flash player. The proof-of-concept posted by Egor Homakov. When the play button is pressed, the user is actually allowing for his/her webcam to grab video and audio from a compromised computer without getting the user's permission. " This works precisely like regular clickjacking - you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you, " Homakov warned.  These kinds of virtual hacks have been taking place for years.
Hacking Google users with Google's GooPass phishing attack

Hacking Google users with Google's GooPass phishing attack

Mar 09, 2013
Google Drive is the new home for Google Docs , that users can access everywhere for Storing files safely. In a recent demonstration hacker successfully performed an attack on Google Docs to trick users to grab their Facebook, Gmail, Yahoo credentials with Credit Card Information. Security researcher Christy Philip Mathew came up with combination of  Clickjacking and CSRF vulnerabilities in Google's Docs that can allow a hacker to create a document in victim's Drive for further phishing attack. For those who are not aware about Clickjacking, It is a technique where an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe. He explain how this technique can be executed to pwn a Google user to steal victim's all type of credentials with a phishing attack. Here attacker need to send a Malicious URL to the victim, where victim needs to interact with some buttons only. Vulnerability allow
Cybersecurity Resources