Framesniffing isn’t a typical cyber attack. It doesn’t seek to deposit a trojan or rootkit on the target computer. Instead it simply harvests private data that can subsequently be amalgamated and used for different purposes: for example to build a detailed personality profile for a potential spear-phishing target, or to determine the likelihood of a potential merger or acquisition. The Context analysis explains the process and demonstrates it in action against both SharePoint and LinkedIn. Chrome, Safari and Internet Explorer can all be used, although Firefox was patched to prevent framesniffing last year.
The technique bypasses web browsers’ iFrame security defences by using HTML anchors to determine the presence or absence of specific data on, for example, a target Sharepoint server. All the attacker needs is the Sharepoint URL. “Using Framesniffing,” explained Paul Stone, a senior security consultant at Context, “it’s possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query. For example,” he went on, “with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information.”
Context has reported its findings to both Microsoft and LinkedIn. Microsoft replied, “We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame options in the next version of SharePoint.” LinkedIn has not yet responded.
“We encourage other browser vendors [Firefox is already protected] to apply similar protection to their browsers,” said Stone, “but in the meantime the onus is on individual websites to add framing protection via X-Frame-Options.” This is simply a matter of adding the X-Frame-Options header – and the Context analysis provides a guide on how to do this.