Scam Alert: False Vulnerability Reports from "Security Researchers" Using X-Frame-Bypass Library

[pauliusjacionis]

Hello everyone,

I recently received an email from a "security researcher" who used the X-Frame-Bypass library to report an "X-Frame-Options bypass bug". They were expecting a bug bounty payment.

I want to draw attention to this: the library DOES NOT actually bypass X-Frame-Options; it only creates the illusion of a bypass. Because traffic is proxied through a different domain name, session data and cookies are lost. This "bypass" is entirely harmless.

Be cautious of bug bounty scams and fraudulent security researchers.

[0xYudhishthra]

Hey @pauliusjacionis, thanks for raising this! I saw a bug bounty report similar to what you mentioned using this tool to bypass X-Frame-Options, and the reporter suggested using the "Content-Security-Policy: frame-ancestors 'self';" header. Any thoughts on alternative measures that can be implemented besides depending solely on the CSP header?

[Kcin41]

We have had a similar attempt at my company. All that was shown as evidence was a sign in page on their localhost as well as the HTML from that page they were hosting. Just to reaffirm others, @pauliusjacionis is correct as far as I can tell with a quick dive into it.

[pauliusjacionis]

Hey @pauliusjacionis, thanks for raising this! I saw a bug bounty report similar to what you mentioned using this tool to bypass X-Frame-Options, and the reporter suggested using the "Content-Security-Policy: frame-ancestors 'self';" header. Any thoughts on alternative measures that can be implemented besides depending solely on the CSP header?

Proxy servers can strip headers, meta tags, and modify HTML. The suggested solution would not fix the "vulnerability".

This is a scam. There is no vulnerability, and there is no fix.

The scammers claim they can clickjack your website, but that is not what is happening. They are clickjacking a different domain name. Sure, it appears to be your website, but it is not. It's just a live copy of your website. They could simply upload a copy of your website's HTML on their server and achieve the same result—no proxy needed.

[HansSchouten]

Thanks for posting the clarification. Bug bounty scammers are still active. Please consider pinning this issue or add a small reference in the readme

[jarthod]

+1, just received one too and was highly sceptical as usual (I couldn't see how this could be exploited for real) but I didn't know about this so I investigated a bit to learn about the CSP attribute they mention. Thanks for confirming here as it saved me some reading and testing 🙇‍♂️ . I guess this is a good "vulnerability" for the scammers because it is:

• Rather new and unknown to most web dev
• Easy to show a simple screenshot as "proof"
• Easy to automate to find websites which have one header but not the CSP

As I checked this project right after receiving the report, I agree with @HansSchouten it would be nice to add some line to the readme just to warn the future victims and save them some time. I understand this shouldn't be the responsibility of the library writer to deal with scammers, but unfortunately I don't see a better place to help the targets.

[ShaiMagal]

We are facing the same scammers, thank you for unambiguous information! :)