Fake Clickjacking Bug Bounty Reports: The Key Facts

Clickjacking Bug Bounty

Are you aware of fake clickjacking bug bounty reports? If not, you should be. This article will get you up to speed and help you to stay alert.

What are clickjacking bug bounty reports?

If we start by breaking up the term into its component parts, a bug bounty is a program offered by an organization, in which individuals are rewarded for finding and reporting software bugs. These programs are often used by companies as a cost-effective way to find and fix software vulnerabilities, thereby improving the security of their products. They also help to build goodwill with the security community.

For the bounty hunters (or white hat hackers), they have an opportunity to earn money and recognition for their skills.

Clickjacking is a malicious technique used to trick users into clicking on something that they think is safe, but is actually harmful. For example, a hacker could create a fake button that looks like the "like" button on a social media site. When users click on it, they may unknowingly like a page or post harmful content. While this may seem like a harmless prank, clickjacking can be used for more malicious purposes, such as infecting a user's computer with malware or stealing sensitive information.

Given the potential damage, clickjacking can cause, big bounties that report cases of it can be very beneficial to an organization.

My company doesn't offer bug bounties. Does it need to?

As a bug bounty report can bring financial benefits to both the bounty hunter and the organization, the former will often not wait for an invite to hunt for bugs and will take a more proactive approach. This means you could be sent bounty reports even if you don't have a formal bug bounty program in place. This practice – where a report comes unsolicited with a request for money – is often referred to as a "beg bounty".

So what's the problem?

There is a growing trend in fake bug bounty reports because individuals are using scanning tools to generate "issues" and then flagging them to as many organizations as possible without consideration of the real risk.

While some will look fake, other reports may be sophisticated enough to con an organization out of thousands of dollars. And by falling victim, you don't just pay a reward that is undeserved; you also show the bounty hunter that you have limited security expertise – a weakness they are highly likely to come back and exploit.

Of course, shutting the doors and ignoring all bug bounty reports is not the answer. There are genuinely good people out there who are trying to help, and their discovery may just save your business a lot of grief and expense.

So just how do you know if a bug bounty report is genuine, particularly if you're not a security professional or don't have a security team in place?

How to identify a fake clickjacking bug bounty report?

When such reports from people positioning themselves as security experts appear, it can be hard to determine what is real and what is fake but there are companies that can conduct reviews of bug bounty reports to give you that peace of mind. This is offered by certain vulnerability scanning providers, who as part of their service, will also run a continuous watch over your systems to identify, analyse, and remediate critical vulnerabilities faster.

Intruder, which offers such a service and has been helping clients uncover fake clickjacking bug bounty reports for years, has seen an increase in cases recently. Just a few weeks ago, one of its Vanguard customers was notified of an anonymous "vulnerability report." The reporter claimed to be able to bypass their clickjacking protections using some publicly available JavaScript, but thanks to the Vanguard team's in-depth knowledge of the client's systems, it was able to write off the report as fake very quickly.

There are also a few things you can look out for to spot a fake report yourself:

  • Relevancy to your situation. If it's a high-quality bug bounty report, it will refer to a system, page or program your organization uses and be specific in its detail.
  • Explanation of impact. A genuine bug bounty hunter will have put in the effort for their reward and will be able to demonstrate that the vulnerability they have found is more costly to you than their "fee." The more information they can provide on the impact of the vulnerability both in terms of size and implications to your website and organisation, the better.
  • Structure of report. Someone running a mass mail out of fake bug bounty reports is very likely to use a template for their reporting and may use generic terms that are irrelevant to your business.
  • Terms of payment. If a bounty hunter asks for payment upfront without providing any details of their findings, this is a red flag. You can either respond by saying you can't offer a bounty without seeing the report first, and see if they respond, or you can get the help of an expert such as Intruder who will advise on the best course of action.
  • Adherence to your policies. Look at setting up a specified security mailbox and introduce a policy via a security.txt file that states you shall only review bounty reports sent to that address.
  • Copycats. Another good way of identifying a beg bounty is to look for instances online where other companies are receiving the same reports. A genuine bug bounty report will be unique to your systems and situation.

Falling victim to a fake bug bounty report could lose you money and set you up for an onslaught of further fake reports, or worse, attacks, in the future. Avoid such problems by having continuous automated scanning and a team of expert security professionals at your side, from a company like Intruder. Its ability to probe deeper and validate potential weaknesses could have a huge impact on your business.