TUCoPS :: Web :: General :: frames~1.txt

Frame Spoofing

FSC Internet / SecureXpert Labs

The Frame Spoofing vulnerability
A new security problem in all popular Web browser programs has been found by SecureXpert Labs, a division of FSC Internet Corp. of Toronto. 
This security problem, found by security analysts at SecureXpert in the course of a routine Web site security audit, has been dubbed "The Frame Spoofing Vulnerability". The vulnerability enables the author of a nefarious Web site or email message to "spoof" information presented by another Web site. 

For example, the nefarious Web site could cause false or embarrassing information to be displayed by another Web site; or it could cause the other Web site to display a form which, if filled in, would send information back to the attacker. 

This vulnerability can also be exploited through email. For example, a user might receive an HTML email message appearing to be from a trusted source (since standard email is easily forged) containing a message advertising a product or service. That email could then cause a well-known and trusted Web site to open. The Web site could then be manipulated to confirm the attacker's message. 

The vulnerability occurs because the Netscape and Microsoft browsers fail to correctly prevent a Web site or HTML email message from replacing a frame displayed by the other site with content that is under the attacker's control. (See the following pages for a full technical explanation). 

An unscrupulous individual or organization could exploit this vulnerability in many ways: 

Defraud the public by disseminating false information via a credible source (e.g. distributing false financial/investment information via a major stock exchange's Web site)
 
Obtain confidential information from a company's customers, an organization's members, etc. 

Gain unfair competitive advantage by misleading the public about a competitor's products or prices 
Embarrass a company or organization by falsely attributing embarrassing statements, pornography, etc. to them 

A huge variety of major (and minor) Web sites are vulnerable. Every major browser (including Netscape Navigator and Microsoft Internet Explorer) and every frames-enabled version tested to date (Nov 16th, 1998) is vulnerable. Other browsers may also be vulnerable. 
Note: if you have Javascript enabled, clicking the following link will open the New York Stock Exchange Web site in an additional browser window. This is for the sake of an effective demonstration; however the vulnerability still affects you if you have Javascript disabled, and we encourage you to try the demonstration both ways. Please flip back to this window after the NYSE opens. 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH