I was contacted by a “security researcher” the other day who dumped a serious amount of one of my websites in an email and claimed vulnerabilities were found. The one they found was the ability to clickjack my content.
If you’re not familiar with Clickjacking, basically it’s the ability to have you click on one thing but be directed to another page. Basically it puts an invisible link over the link you’re wanting to legitimately click.
Now, none of that code sits on your site, so someone has to register a domain and have a redirect to see the content and then the user has to actually click on something.
The redirect would presumably take you to The Bad Place, or something… in terms of my sites it might cause you to download something or fake a link so that it takes you somewhere else.
But, once again, to get to that point the user has to have gone to the wrong site, and that site has to be targeting the “vulnerable” one. They wanted a bounty for pointing out a standard WordPress exploit. Meh…
But this isn’t about the security vulnerability – I could have sent them back 22 others they surprisingly missed, but that people claiming to be security researchers are scanning the web so they can send requests for cash.
Lot of small sites out there might fall for it. It’s a much better approach than the standard “your website has speed issues” I get nonstop.