Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/13/2012
02:40 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Microsoft SharePoint And LinkedIn data At Risk From Framesniffing Attacks

Attack bypasses browser security restrictions

March 13th 2012 - Context Information Security has highlighted a weakness in Internet Explorer, Chrome and Safari web browsers that enables remote attackers to steal sensitive information held on private Microsoft SharePoint sites, as well as mine data from other public websites such as LinkedIn. In these Framesniffing Attacks, a hidden HTML frame is used to load a target website inside the attacker's malicious webpage to read information about the content and structure of the framed pages. The attack bypasses browser security restrictions that are meant to prevent webpages directly reading the contents of third-party sites loaded in frames.

“Using Framesniffing, it's possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query,” said Paul Stone, senior security consultant at Context. “For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information.”

Context researchers tested SharePoint 2007 and 2010 and found that by default, they do not send the X-Frame-Options header that instructs web browsers to disallow framing. This leaves these applications open to both Framesniffing and Clickjacking. As a result, any website that knows the URL of the SharePoint installation can load it in a frame and carry out these attacks, even if it is only accessible on an Intranet.

Following the discovery of this vulnerability, Context contacted Microsoft and was told: "We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame options in the next version of SharePoint."

Framesniffing can also be used to harvest confidential data from public websites, such as LinkedIn that don’t protect against framing. An attacker using a malicious website could build a profile of visiting users by piecing together small pieces of information leaked from different websites. For example, the product IDs of previously bought items from a shopping site could be combined with a person’s user ID from a social networking site.

Context’s blog published today at www.contextis.com/research/blog/framesniffing, includes a video that shows an attacker extracting sensitive information from a fictional corporate SharePoint installation. In the blog, Context also provides five simple steps to protect a website from this attack by adding the X-Frame-Options header. While Mozilla updated its Firefox web browser last year to prevent Framesniffing, the latest versions of Internet Explorer, Chrome and Safari are still vulnerable.

Fortunately, protecting a website from this attack is a simple matter of adding the X-Frame-Options header and in its blog, Context provides step-by-step instructions on how to do this. “Users of the Firefox browser are already protected against this attack,” said Stone. “We encourage other browser vendors to apply similar protection to their browsers but in the meantime, the onus is on individual websites to add framing protection via X-Frame-Options.”

About Context Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company’s client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants.

Context is ideally placed to work with clients worldwide with offices in the UK, Australia and Germany and its client base includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...