Tabnabbing & Clickjacking on steemit.chat, Clickjacking on Steemit registration page

In two of my recent articles I tested the security of Steemit and other social media platform from a point of view of Tabnabbing and Clickjacking:

• https://steemit.com/security/@gaottantacinque/steemit-and-the-internet-in-general-is-a-safe-place
  ( SPOILER: most social media are affected by Tabnabbing! )

• https://steemit.com/security/@gaottantacinque/steemit-security-check-iframe-tricks
  ( SPOILER: some banking websites are affected by Clickjacking! )

The conclusion of both tests on https://steemit.com was that Steemit is quite robust. After that though I find out of the existence of https://steemit.chat and.. drumroll... it's vulnerable to both attacks!

• Tabnabbing

As you can see in the screenshot, links posted in the channels use target="_blank" in order to be opened in a new tab but no rel attribute is present to block Tabnabbing.

If you want to exploit the vulnerability for testing purposes in your browser you can simply replace the href of an existing link posted in the chat to point at https://mycatnamedweb.github.io (eg. Chrome Developer Tools -> Edit as HTML).

As you can see, after clicking on the link and opening my Github Page, after a couple of seconds the Steemit chat page is replaced by a trivial phishing page (just a screenshot of the Facebook login page).
Clearly posting the link on the chat would have the same result.

This attack works on all major browsers.

The phishing page may simply use a keylogger to steal your credentials. Example in javascript:

                                            

• Clickjacking

As you can see in the screenshot, the current URL in the browser is facebook.com but the browser displays a full page login of steemit.chat. That's achieved simply using an iframe that points to https://steemit.chat/home. In this case the iframe has been added on client site but in a real scenario it would be injected on a vulnerable page (eg. XSS) or used in a page with a similar URL (eg. steemlt.com) and fake input fields would be overlapped over the real credentials fields.

PS. Also Steemit registration page https://signup.steemit.com is vulnerable to Clickjacking!

HOW TO FIX IT:

See my previous articles on Tabnabbing and Clickjacking.
In a nutshell:

• Tabnabbing: on every anchor that uses target="_blank" add the rel attribute set to "noreferrer nofollow noopener" or in alterantive launch links in new tabs only through a temporary iframe.
• Clickjacking: your server has to return the header X-FRAME-OPTIONS set to DENY so that browsers will refuse to render your website inside an iframe.