Top Clickjacking reports from HackerOne:
- RCE of Burp Scanner / Crawler via Clickjacking to PortSwigger Web Security - 160 upvotes, $3000
- Highly wormable clickjacking in player card to X (Formerly Twitter) - 131 upvotes, $0
- Twitter Periscope Clickjacking Vulnerability to X (Formerly Twitter) - 129 upvotes, $1120
- Clickjacking on donation page to WordPress - 89 upvotes, $0
- Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App to X (Formerly Twitter) - 64 upvotes, $0
- Sensitive Clickjacking on admin login page. to Shipt - 53 upvotes, $0
- Stealing User emails by clickjacking cards.twitter.com/xxx/xxx to X (Formerly Twitter) - 49 upvotes, $0
- Clickjacking vkpay to VK.com - 44 upvotes, $0
- [api.tumblr.com] Exploiting clickjacking vulnerability to trigger self DOM-based XSS to Automattic - 30 upvotes, $0
- URL is vulnerable to clickjacking https://app.passit.io/ to Passit - 28 upvotes, $0
- Clickjacking Vulnerability Can Leads To Delete Developer APP to TikTok - 23 upvotes, $500
- Clickjacking at ylands.com to BOHEMIA INTERACTIVE a.s. - 19 upvotes, $80
- Clickjacking in the admin page to Rocket.Chat - 18 upvotes, $0
- Clickjacking in [exchangemarketplace.com] to Shopify - 17 upvotes, $0
- Clickjacking at join.nordvpn.com to Nord Security - 17 upvotes, $0
- CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse. to Yelp - 17 upvotes, $0
- Clickjacking In jobs.wordpress.net to WordPress - 16 upvotes, $0
- Clickjacking on cas.acronis.com login page to Acronis - 16 upvotes, $0
- Clickjacking at open.rocket.chat to Rocket.Chat - 15 upvotes, $0
- Clickjacking wordcamp.org to WordPress - 14 upvotes, $0
- Make user buy items via clickjacking possibility to Mail.ru - 14 upvotes, $0
- self-xss with ClickJacking can leads to account takeover in Firefox to Imgur - 14 upvotes, $0
- Modifying application settings via clickjacking on o2.mail.ru to Mail.ru - 13 upvotes, $150
- Clickjacking Vulnerability found on Yelp to Yelp - 13 upvotes, $0
- Reflected XSS through ClickJacking to U.S. Dept Of Defense - 13 upvotes, $0
- Clickjacking on Mixmax.com to Mixmax - 12 upvotes, $0
- Clickjacking on https://www.goodhire.com/api to Inflection - 12 upvotes, $0
- URL is vulnerable to clickjacking to MyCrypto - 12 upvotes, $0
- Modify account details by exploiting clickjacking vulnerability on refer.wordpress.com to Automattic - 12 upvotes, $0
- AWS S3 website can't serve security headers, may allow clickjacking to Legal Robot - 11 upvotes, $0
- Clickjacking mercantile.wordpress.org to WordPress - 11 upvotes, $0
- Single Sing On - Clickjacking to Semrush - 11 upvotes, $0
- clickjacking в /lead_forms_app.php to VK.com - 11 upvotes, $0
- Certificate warnings and similar UI elements in Web protection of Anti-Virus products family are susceptible to clickjacking to Kaspersky - 11 upvotes, $0
- Clickjacking Vulnerability in sifchain.finance to Sifchain - 11 upvotes, $0
- Clickjacking Periscope.tv on Chrome to X (Formerly Twitter) - 10 upvotes, $0
- Following links are vulnerable to clickjacking to Semrush - 10 upvotes, $0
- Clickjacking URLS to Nextcloud - 10 upvotes, $0
- Reflected XSS through clickjacking at https://████ to U.S. Dept Of Defense - 10 upvotes, $0
- OAuth authorization page vulnerable to clickjacking to Coinbase - 9 upvotes, $5000
- Bypass of the Clickjacking protection on Flickr using data URL in iframes to Yahoo! - 9 upvotes, $0
- Delete images of users with clickjacking in https://pw.mail.ru to Mail.ru - 9 upvotes, $0
- Get ip and Geo location any user via Clickjacking with inspectlet technology to Acronis - 9 upvotes, $0
- Clickjacking at app.lemlist.com to lemlist - 9 upvotes, $0
- Clickjacking on authorized page https://wakatime.com/share/embed to WakaTime - 8 upvotes, $0
- Clickjacking - https://mercantile.wordpress.org/ to WordPress - 8 upvotes, $0
- Clickjacking in Legalrobot app to Legal Robot - 8 upvotes, $0
- Clickjacking to Palo Alto Software - 8 upvotes, $0
- UI Redressing ( ClickJacking ) Issue on Information submit form to Legal Robot - 7 upvotes, $0
- Clickjacking to Pushwoosh - 7 upvotes, $0
- Click Jacking Nextcloud to Nextcloud - 7 upvotes, $0
- Clickjacking on my.stripo.email for MailChimp credentials to Stripo Inc - 7 upvotes, $0
- Clickjacking misconfiguration bug to Sifchain - 7 upvotes, $0
- Clickjacking to change email address to Gener8 - 7 upvotes, $0
- Clickjacking Vulnerability In Whole Page Ads Tiktok to TikTok - 6 upvotes, $500
- Found clickjacking vulnerability to LeaseWeb - 6 upvotes, $0
- Account takeover vulnerability by editor role privileged users/attackers via clickjacking to WordPress - 6 upvotes, $0
- Clickjacking lead to remove review to Yelp - 6 upvotes, $0
- Khan Academy ClickJacking to Steal Users's Credintials to Khan Academy - 6 upvotes, $0
- Clickjacking Vulnerability via https://profile.my.games/gamecenter/profile/ can lead to sensitive cross site actions (Bypass X-Frame-Options) to Mail.ru - 6 upvotes, $0
- Vulnerable for clickjacking attack to Sifchain - 6 upvotes, $0
- Shop - Reflected XSS With Clickjacking Leads to Steal User's Cookie In Two Domain to Meredith - 6 upvotes, $0
- Click Jacking to Legal Robot - 5 upvotes, $0
- Missing security headers, possible clickjacking to Legal Robot - 5 upvotes, $0
- https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options to Cuvva - 5 upvotes, $0
- Clickjacking docs.weblate.org to Weblate - 5 upvotes, $0
- clickjacking on https://gratipay.com/on/npm/[text] to Gratipay - 5 upvotes, $0
- ClickJacking on IMPORTANT Functions of Yelp to Yelp - 5 upvotes, $0
- Clickjacking Vulnerability via https://www.donationalerts.com/help/support leads to bypass for widget.support.my.games X-Frame Options to Mail.ru - 5 upvotes, $0
- ClickJacking on http://au.launch.yahoo.com to Yahoo! - 4 upvotes, $0
- Clickjacking: X-Frame-Options header missing to Legal Robot - 4 upvotes, $0
- Clickjacking In https://demo.nextcloud.com to Nextcloud - 4 upvotes, $0
- Clickjacking Full account takeover and editing the personal information at [account.my.com] to Mail.ru - 4 upvotes, $0
- Clickjacking Vulnerability via https://webagent.mail.ru leading to protection bypass for https://web.icq.com/ end point to Mail.ru - 4 upvotes, $0
- Clickjacking to Mail.ru - 3 upvotes, $0
- Click-Jacking due to missing X-frame header to Factlink - 3 upvotes, $0
- Clickjacking at https://www.mavenlink.com/ main website to Mavenlink - 3 upvotes, $0
- Clickjacking at surveylink.yahoo.com to Yahoo! - 3 upvotes, $0
- Clickjacking login page of http://book.zomato.com/ to Zomato - 3 upvotes, $0
- Clickjacking: Delete Account, Change privacy settings, Rate business, follow/unfollow (IE) to Zomato - 3 upvotes, $0
- Settings page in https://support.my.com is vulnerable to clickjacking to Mail.ru - 3 upvotes, $0
- Clickjacking on profile page leading to unauthorized changes to UPchieve - 3 upvotes, $0
- Possible clickjacking at shop.khanacademy.org to Khan Academy - 2 upvotes, $0
- Click jacking to Factlink - 2 upvotes, $0
- Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login to Mavenlink - 2 upvotes, $0
- clickjacking on leaving group(flick) to Yahoo! - 2 upvotes, $0
- Vulnerable to clickjacking to Gratipay - 2 upvotes, $0
- Clickjacking on authenticated pages which is inscope for New Relic to New Relic - 2 upvotes, $0
- newrelic.com vulnerable to clickjacking ! to New Relic - 2 upvotes, $0
- ClickJacking on Debug to Weblate - 2 upvotes, $0
- Clickjacking irclogs.wordpress.org to WordPress - 2 upvotes, $0
- Click jacking in delete image of user in Yelp to Yelp - 2 upvotes, $0
- URL is vulnerable to clickjacking to Zomato - 2 upvotes, $0
- Clickjacking Vulnerability on https://support.my.com/games/ticket/xxxx/ to Mail.ru - 2 upvotes, $0
- Clickjacking in ops.cuvva.com to Cuvva - 2 upvotes, $0
- Clickjacking to Kubernetes - 2 upvotes, $0
- Site-wide clickjacking at IE11 to New Relic - 2 upvotes, $0
- ClickJacking to Acronis - 2 upvotes, $0
- clickjacking at brew.sh to Homebrew - 2 upvotes, $0
- CLICKJACKING LEADS TO DEACTIVATE ACCOUNT to UPchieve - 2 upvotes, $0
- Clickjacking ar https://hackers.upchieve.org/login to UPchieve - 2 upvotes, $0
- Clickjacking to Sifchain - 2 upvotes, $0
- Clickjacking - changing role to Respondly - 1 upvotes, $0
- ClickJacking to Localize - 1 upvotes, $0
- Clicjacking on Login panel to Mail.ru - 1 upvotes, $0
- Clickjacking at https://staging.uzbey.com/ to Uzbey - 1 upvotes, $0
- Clickjacking to Mavenlink - 1 upvotes, $0
- Clickjacking: X-Frame-Options header missing to GlassWire - 1 upvotes, $0
- clickjacking to Yahoo! - 1 upvotes, $0
- Clickjacking: X-Frame-Options header missing to APITest.IO - 1 upvotes, $0
- Clickjacking in love.uber.com to Uber - 1 upvotes, $0
- ClickJacking to OWOX, Inc. - 1 upvotes, $0
- Clickjacking vulnerability in support-dashboard.corp.cuvva.co to Cuvva - 1 upvotes, $0
- Clickjacking or URL Masking to Brave Software - 1 upvotes, $0
- clickjacking at http://mailboxes.legalrobot-uat.com/ to Legal Robot - 1 upvotes, $0
- aspen | clickjacking to Aspen - 1 upvotes, $0
- ClickJacking to Yelp - 1 upvotes, $0
- Clickjacking: X-Frame Header Missing to Yelp - 1 upvotes, $0
- clickjacking to Semrush auth login to Semrush - 1 upvotes, $0
- Clickjacking on https://download.nextcloud.com/ to Nextcloud - 1 upvotes, $0
- Clickjacking on https://download.nextcloud.com to Nextcloud - 1 upvotes, $0
- Nextcloud Clickjacking Vulnerability to Nextcloud - 1 upvotes, $0
- clickjacking on deleting user's clips [https://crossclip.com/clips] to Logitech - 1 upvotes, $0
- clickjacking vulnerability to Sifchain - 1 upvotes, $0
- Clickjacking at sifchain.finance to Sifchain - 1 upvotes, $0
- Clickjacking login page of https://hackers.upchieve.org/login to UPchieve - 1 upvotes, $0
- Clickjacking : https://partners.cloudflare.com/ to Cloudflare Vulnerability Disclosure - 0 upvotes, $0
- Clickjacking https://blockstack.org/ to Hiro - 0 upvotes, $0
- ClickJacking in editing business name to Yelp - 0 upvotes, $0
- User can be fooled to Bookmark any restaurant by clickjacking to Yelp - 0 upvotes, $0
- Clickjacking @ Main Domain[www.yelp.com] to Yelp - 0 upvotes, $0
- Clickjacking on https://nextcloud.com/ to Nextcloud - 0 upvotes, $0
- Clickjacking /framing on sensitive Subdomain to Sifchain - 0 upvotes, $0