Support NeoGAF

[Ripclawe]

TEST HERE

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/



The story is here

http://www.techweb.com/wire/story/TWB20040702S0007

Wednesday, Secunia issued a warning saying it had discovered a vulnerability within IE that allowed scammers to spoof, or fake, the content of a site displayed in the browser.

On Friday, however, the security vendor modified the alert to claim that virtually every browser, from Internet Explorer and Mozilla to Opera and Netscape -- including browsers for both Windows and the Mac OS -- has this flaw.

“It's not a code vulnerability,” said Secunia's Kristensen, “but a design flaw.”

The problem stems from how browsers handle frames. “Some time ago, browser designers decided that one site needed to be able to manipulate the content of another, and the functionality was adopted by everyone,” said Kristensen. But hackers can use this to inject phony content -- say their own credit card-stealing form -- into a frame of an actual trusted Web site, such as a user's online bank.

“In these times of phishing attacks and other scams, this is a problem,” said Kristensen. “You're visiting a bank or an e-commerce site, and you're certain of that site, but meanwhile, it's [actually] open in the background to content change by hackers.”

Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

Secunia offered up a quick test that users can run to see if their current browser is vulnerable to this problem.

 

[xsarien]

Three guesses as to which browser will have this problem fixed last, and the first two don't count.

 

[Phoenix]

Camino (Mozilla 1.7 based) on OSX does not exhibit the vulnerability.

 

[DopeyFish]

Internet Explorer is not vulnerable. Unless I have a super happy crazy updated version or something, but the exploitation did not work.

 

[Ecrofirt]

IE is vulnerable.

 

[miyuru]

My old version of Firefox (0.8) is vulnerable, suppose I'll update.

 

[Thaedolus]

I just updated my firefox after that, thanks

 

[miyuru]

Yeah, that's a pretty convincing test when you realise the injected page could totally trick you. I'd actually fall for that, I think all of us would.

 

[calder]

Didn't work on firefox 9.1, but I may have done it wrong because I was using tabs and middleclicking.

 

[SKluck]

I've noticed this years ago. Is this supposed to be something new?

I wouldn't really call it a vulnerability. I've never seen it used maliciously; hell, I've never seen it 'used' on purpose ever. Usually just happens on accident when clicking links.

 

[shuri]

mozilla firefox 0.9 owned that exploit.

 

[The Shadow]

Wouldn't this exploit require a previous visit to an untrusted site, followed by a trusted site? I don't see how this exploit could work if your browser opens up to a blank page and then you go to a trusted site.

 

[andthebeatgoeson]

Wouldn't this exploit require a previous visit to an untrusted site, followed by a trusted site? I don't see how this exploit could work if your browser opens up to a blank page and then you go to a trusted site.

I was wondering the same thing. Or a hacker would have to place a link in a website, duping you.

 

[Mejilan]

Using regular clicking and multi-window browsing (not tab browsing) with Firefox 0.9.1 I could not duplicate the error they described.

 

[miyuru]

Wouldn't this exploit require a previous visit to an untrusted site, followed by a trusted site? I don't see how this exploit could work if your browser opens up to a blank page and then you go to a trusted site.

Or it'd be a trusted site, leading to an untrusted one masked as the same trusted one.

But, a trusted site could be hacked in this manner.

 

[Deg]

Yeah this was mentioned on that security site which had pages of IE exploits... Oper and firefox had this thing but at the time i think one of themf ixed it in a beta.

 

[iapetus]

It was fixed in Firefox pretty quickly, and I believe it made it into 0.9 (or possibly 0.9.1). Doesn't affect my 0.8 Firefox anyway, because I always open content in new tabs, not new windows.

 

[The Faceless Master]

didnt work in mozilla 1.7...