User Account Deletion and more via Clickjacking in heroiclabs/nakama
May 24th 2022
As nakama console is not restricted from being loaded in an iframe, clickjacking attack is possible.
Proof of Concept
- Login to nakama console.
- Save the following as an .html file and open it in the browser to see that the page loads into an iframe.
Deletion of user accounts in User Management section.
Deletion or Banning of users in the User Accounts Deletion of Storage Objects and User Groups section and more.
While it impacts a number of features, adding a proper
X-Frame-Options header in the response remediates all of the occurrences