Search This Blog

Critical Clickjacking vulnerability in Rediffmail

Narendra Bhati, an Information security researcher from Sheogan Rajasthan, has identified a critical UI redressing vulnerability in the Rediffmail website

Narendra Bhati, an Information security researcher from Sheogan Rajasthan, has identified a critical UI redressing vulnerability in the Rediffmail website - a web based e-mail service provided by Rediff.com

Rediff is the Number one Indian web portal that offers news, information, entertainment, and shopping. Rediff.com was the first website domain name registered in India in 1996.

The website allows other websites to include the iframe of Rediffmail page

POC :
<iframe src="http://f5mail.rediff.com/ajaxprism/container#Inbox" width="1000" height="1000">

The vulnerability allows hacker to lure the victim into changing the personal information of victim.  It also allows to lure the victim into sending SMS to anyone.

Narendra has created a small POC code that lure users with "Online Prize Contest".  When a user copy&paste Gift code and click the submit button, it will update the user information. 

You can check his poc here:
http://pastebin.com/qrhZpdeX

The researcher discovered the vulnerability in january and sent notification to Rediffmail. Then as usual rediffmail not reply to him regarding to security- Then after 1 Month Narendra Decided to report it to EHN

Share it:

Narendra Bhati

UI redressing vulnerability

Vulnerability