I've been getting a couple of emails from the same gmail address, demanding a reward for pointing out a 'clickjacking' vulnerability. The first one says 'hope for a reward', and the second email says 'expecting a reward'. I'm wondering if anyone else is getting similar emails and how do you deal with it?
From other forums, these email seem common, from people running automated scripts. They attach a screenshot of your website and include a description of a proof of concept.
In case of 'clickjacking' by embedding your website into an iframe to log keystrokes by customers attempting to enter their login credentials, I don't think the risk is much different than someone simply being able to clone your site. The customer still needs to visit a third party site and will see a different domain URL in both cases. It's something I'm already aware of and doesn't deserve a reward.
A single line for CSP frame-ancestors in htaccess or x-frame options in the header template would help reduce the risk, but I assume a customer's compromised browser may bypass this anyway.
The business is experiencing a downturn from the energy crisis and hardly any people create accounts or login, so there are no credentials to steal or any money to pay for alerting me to something I already know about.
I'm just worried that either ignoring or responding to such emails could lead to extortions or web attacks, or further demands. What do you do?
I've had loads of these. One even got my email password and put that in the email to me. I've changed my email password, Cpanel password and FTP password. I've also checked my site for hacks and injections and always run a firewall. They still come in but I always ignore them. I also use Linux more and more now as you never know if your Windows machine is compromised.
Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk
Yeah, usually ignoring them is the best. If the information is truly helpful, and they aren't too pushy, and you have the budget, then I think it's fine to give them a token amount.
However, if the security flaw is obscure (like the one you described) then it's probably not worth responding to. The person is probably sending out dozens of these e-mails, hoping to get a hit, so they probably get ignored most of the time.
However, if the security flaw is obscure (like the one you described) then it's probably not worth responding to. The person is probably sending out dozens of these e-mails, hoping to get a hit, so they probably get ignored most of the time.
Who is online
Users browsing this forum: No registered users and 117 guests
