Share

Related Links

Top 5 Stories

News

Framesniffing with Chrome, Safari and Internet Explorer

13 March 2012

Security consultancy Context has produced an analysis of framesniffing, an attack technique that can data mine sensitive data through web browsers and iFrames.

Framesniffing isn’t a typical cyber attack. It doesn’t seek to deposit a trojan or rootkit on the target computer. Instead it simply harvests private data that can subsequently be amalgamated and used for different purposes: for example to build a detailed personality profile for a potential spear-phishing target, or to determine the likelihood of a potential merger or acquisition. The Context analysis explains the process and demonstrates it in action against both SharePoint and LinkedIn. Chrome, Safari and Internet Explorer can all be used, although Firefox was patched to prevent framesniffing last year.

The technique bypasses web browsers’ iFrame security defences by using HTML anchors to determine the presence or absence of specific data on, for example, a target Sharepoint server. All the attacker needs is the Sharepoint URL. “Using Framesniffing,” explained Paul Stone, a senior security consultant at Context, “it’s possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query. For example,” he went on, “with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information.”

Context has reported its findings to both Microsoft and LinkedIn. Microsoft replied, “We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame options in the next version of SharePoint.” LinkedIn has not yet responded.

“We encourage other browser vendors [Firefox is already protected] to apply similar protection to their browsers,” said Stone, “but in the meantime the onus is on individual websites to add framing protection via X-Frame-Options.” This is simply a matter of adding the X-Frame-Options header – and the Context analysis provides a guide on how to do this.

 

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×