Critical Clickjacking vulnerability in Rediffmail

Critical Clickjacking vulnerability

Narendra Bhati, an Information security researcher from Sheogan Rajasthan, has identified a critical UI redressing vulnerability in the Rediffmail website - a web based e-mail service provided by Rediff.com

Rediff is the Number one Indian web portal that offers news, information, entertainment, and shopping. Rediff.com was the first website domain name registered in India in 1996.

The website allows other websites to include the iframe of Rediffmail page,


POC :
<iframe src="http://f5mail.rediff.com/ajaxprism/container#Inbox" width="1000" height="1000">

The vulnerability allows hacker to lure the victim into changing the personal information of victim.  It also allows to lure the victim into sending SMS to anyone.

Narendra has created a small POC code that lure users with "Online Prize Contest".  When a user copy&paste Gift code and click the submit button, it will update the user information. 

You can check his poc here:
http://pastebin.com/qrhZpdeX

The researcher discovered the vulnerability in january and sent notification to Rediffmail. Then as usual rediffmail not reply to him regarding to security- Then after 1 Month Narendra Decided to report it.