Click Jacking Emals

[jeffuk]

I wasn't sure where to post this, but I wondered if any other WHMCS users have received emails like these?

I have been contacted several times by individuals requesting a bounty for discovering that WHMCS has a clickjacking vulnerability.

The email begins like this and targets clientarea.php

Quote

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clickingon, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

I've ignored the emails but now the emails are getting a little more aggressive with threats of leaking this to black hat hackers.

 

[UnwilfulExpenditure]

1 hour ago, jeffuk said:

I wasn't sure where to post this, but I wondered if any other WHMCS users have received emails like these?

I have been contacted several times by individuals requesting a bounty for discovering that WHMCS has a clickjacking vulnerability.

The email begins like this and targets clientarea.php

I've ignored the emails but now the emails are getting a little more aggressive with threats of leaking this to black hat hackers.

 

Initially, I thought it was another whmcs price increase! But I've come to learn its just spam 😂 Whilst there are many bugs in whmcs - a properly configured install isn't that vunerable compared to any other site, there are more flaws in whmcs that pose a significant risk than clickjacking! Don't engage or feed them and they should go away! Although that sounds like whmcs approach to support - Just give your site a once over to be sure but i'd guess the guy with the most western sounding name but broken english literacy skills will go away! 🙂

We had one on an old site, We offered to pay the bounty to their bank account - If they provide all tax details and photographic ID.... I was called a flurry of names, Sent threats and eventally they stopped replying! It must have been too much effort for $10k 😛 I only engaged because it was shut down and no clients used it anymore, We were testing 7.10 at the time on it..... Ahhh simple times! 

[bear]

4 minutes ago, UnwilfulExpenditure said:

Whilst there are many bugs in whmcs - a properly configured install isn't that vunerable compared to any other site

This isn't a WHMCS bug. It's a server side setting that can easily be enabled/added and would work for all sites, not just WHMCS.
"The server didn't return an X-Frame-Options header ". 
The fix: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

[UnwilfulExpenditure]

7 minutes ago, bear said:

This isn't a WHMCS bug. It's a server side setting that can easily be enabled/added and would work for all sites, not just WHMCS.

Agreed, hence the 

Quote

a properly configured install isn't that vunerable compared to any other site

The link you shared was a nice read though - Never seen that site before! Out of a morbid curiousity - Do you think these spammers search for that particular php file to find installs? Because I'm pretty confident mine were fine - Certainly to the degree needed to prevent the average SK exploiting my site! I personally think it's just people chancing it, on whmcs installs (Amongst other SW) knowing that it's somewhat believable there are vunerabilities curious to hear your thoughts bear! Loving your pic btw and brian!'s 😂

[bear]

Do they search for a file?
Many ways to find WHMCS installs. Simplest is a Google dork for the powered by line, which will find all those that had not paid to remove it. Second might be to look for a very common file/URL, then read the source for the base URL bit (yup, even in branding free licenses, this exists on all pages: "whmcsBaseUrl"). So secretive. 🙄

Of course, simpler still is trying to load a page from lots of sites within an iframe, and see what gets returned. If there's no header returned about Xframes, record that URL for a further look (odds are good there's tons). If they run WHMCS, they are accepting signups and are more interested in security (Joe Public with a cat related Wordpress won't have a clue), so it's a target they're more likely to get paid by reporting and so on

Edited June 28, 2021 by bear

[UnwilfulExpenditure]

1 minute ago, bear said:

Do they search for a file?
Many ways to find WHMCS installs. Simplest is a Google dork for the powered by line, which will find all those that had not paid to remove it. Second might be to look for a very common file/URL, then read the source for the base URL bit.

Of course, simpler still is trying to load a page from lots of sites within an iframe, and see what gets returned. If there's no header returned about Xframes, record that URL for a further look (odds are good there's tons). If they run WHMCS, they are accepting signups and are more interested in security (Joe Public with a cat related Wordpress won't have a clue), so it's a target they're more likely to get paid by reporting and so on

Of course, Yeah - The logic behind the reasoning is sound. But don't you dare disparage my page about Lady Fluffs-a-lot, She is a true example of feline excellence. As a premium member of the site, you should know this 😛 

[jeffuk]

29 minutes ago, bear said:

This isn't a WHMCS bug. It's a server side setting that can easily be enabled/added and would work for all sites, not just WHMCS.

Thanks for the link. I will go through it.