30 Marsh Wall,
E14 9TP London
+44 (1442) 245030
Microsoft SharePoint and LinkedIn data at risk from Framesniffing Attacks
Latest Context blog provides simple fix to protect Internet and Intranet sites at www.contextis.com/research/blog/framesniffing(PresseBox) ( London, )
"Using Framesniffing, it's possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query," said Paul Stone, senior security consultant at Context. "For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information."
Context researchers tested SharePoint 2007 and 2010 and found that by default, they do not send the X-Frame-Options header that instructs web browsers to disallow framing. This leaves these applications open to both Framesniffing and Clickjacking. As a result, any website that knows the URL of the SharePoint installation can load it in a frame and carry out these attacks, even if it is only accessible on an Intranet.
Following the discovery of this vulnerability, Context contacted Microsoft and was told: "We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame options in the next version of SharePoint."
Framesniffing can also be used to harvest confidential data from public websites, such as LinkedIn that don't protect against framing. An attacker using a malicious website could build a profile of visiting users by piecing together small pieces of information leaked from different websites. For example, the product IDs of previously bought items from a shopping site could be combined with a person's user ID from a social networking site.
Context's blog published today at www.contextis.com/research/blog/framesniffing, includes a video that shows an attacker extracting sensitive information from a fictional corporate SharePoint installation. In the blog, Context also provides five simple steps to protect a website from this attack by adding the X-Frame-Options header. While Mozilla updated its Firefox web browser last year to prevent Framesniffing, the latest versions of Internet Explorer, Chrome and Safari are still vulnerable.
Fortunately, protecting a website from this attack is a simple matter of adding the X-Frame-Options header and in its blog, Context provides step-by-step instructions on how to do this. "Users of the Firefox browser are already protected against this attack," said Stone. "We encourage other browser vendors to apply similar protection to their browsers but in the meantime, the onus is on individual websites to add framing protection via X-Frame-Options."
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an email@example.com.