Last weekend, I had a chance to use the Google cloud print service and found Clickjacking vulnerability. Obviously, X-Frame-Options response header was missing as shown in the below image.
According to the new Google bug bounty program, if clickjacking vulnerability is performed using two clicks will not be considered for VRP or bug. That’s why this vulnerability is not considered by the Google Security team.
As this vulnerability doesn’t matter to Google, that’s why we would like to release the Clickjacking vulnerability POC publicly. The working POC can be viewed here.