Twitter Periscope Clickjacking Vulnerability

Bonjour, ## Summary X-Frame-Options ALLOW-FROM https://twitter.com/ not supported by several Browser, this caused Clickjacking on Twitter Periscope subdomain (https://canary-web.pscp.tv & https://canary-web.periscope.tv) ## Steps To Reproduce: 1. Create a new HTML file 2. Put <iframe src="https://vulnerable.site" frameborder="0"></iframe> 3. Save the file 4. Open document in browser ## Impact Attacker may tricked user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivated ## Solution The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP (Content-Security-Policy) header. ## NOTE - POC & Attacking Scenarios (https://vimeo.com/338854681 PASS:Per!scop3^) ## References https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options https://www.owasp.org/index.php/Clickjacking https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md Cheers!