Framesniffing isn’t a typical cyber attack; it doesn’t seek to deposit a Trojan or rootkit on the target computer.
Rather, it simply harvests private data that can see use for different purposes like building a detailed personality profile for a potential spear-phishing target, or to determine the likelihood of a potential merger or acquisition.
LinkedIn, Chrome, Safari and Internet Explorer all fall into the trap, although a patch on Firefox last year prevents framesniffing, said researchers at security consulting firm Context.
The technique bypasses web browsers’ iFrame security defenses by using HTML anchors to determine the presence or absence of specific data on a target Sharepoint server. All the attacker needs is the Sharepoint URL.
“Using Framesniffing, it’s possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query,” said Paul Stone, a senior security consultant at Context. “For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information.”
Context reported its findings to Microsoft and LinkedIn. Microsoft replied, “We have concluded our investigation and determined this is by-design in current versions of SharePoint. We are working to set the X-Frame options in the next version of SharePoint.” LinkedIn has not yet responded.
“We encourage other browser vendors [Firefox is already protected] to apply similar protection to their browsers,” Stone said, “but in the meantime the onus is on individual websites to add framing protection via X-Frame-Options.” This is simply a matter of adding the X-Frame-Options header – and the Context analysis provides a guide on how to do this.