Internet Explorer, Chrome and Safari exploit puts SharePoint and LinkedIn data at risk

Users of Internet Explorer, Chrome and Safari are vulnerable to a new attack that lets remote attackers steal sensitive information held on private Microsoft SharePoint sites, as well as mine data from other public websites such as LinkedIn.

Information security consultancy Context Information Security revealed details of the vulnerability and the potential attacks - which Context calls “framesniffing attacks” - earlier today.

In these attacks, a hidden HTML frame is used to load a target website inside the attacker’s malicious webpage to read information about the content and structure of the framed pages. The attack bypasses browser security restrictions that are meant to prevent webpages directly reading the contents of third-party sites loaded in frames.

“Using Framesniffing, it’s possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query,” said Paul Stone, Senior Security Consultant at Context.

“For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information.”

According to Context, Mozilla last year updated its Firefox browser to prevent framesniffing. However, the latest versions of Microsoft’s Internet Explorer, Google’s Chrome and Apple’s Safari are still vulnerable to such attacks.

“Users of the Firefox browser are already protected against this attack,” said Stone. “Context encourages other browser vendors to apply similar protection to their browsers.”

Framesniffing specifics

According to Context, SharePoint 2007 and 2010, by default, do not send the X-Frame-Options header that instructs web browsers to disallow framing.

“This leaves these applications open to both Framesniffing and Clickjacking,” a statement from Context said. “As a result, any website that knows the URL of the SharePoint installation can load it in a frame and carry out these attacks, even if it is only accessible on an intranet.”

According to Context, Microsoft maintains that this behaviour is “by-design in current versions of SharePoint”.

Microsoft told the security consultancy: “We are working to set the X-Frame options in the next version of SharePoint.”

According to Context, these attacks can also be used to harvest confidential data from public websites, such as LinkedIn, that don’t protect against framing.

“An attacker using a malicious website could gather information on visiting users by piecing together small pieces of information leaked from different websites. For example, the product IDs of previously bought items from a shopping site could be combined with a person’s user ID from a social networking site,” a statement from Context said.

The company has created a blog post with specifics on framesniffing and details on how to protect websites from the attacks.

Until the affected browsers incorporate protection from framesniffing, “the onus is on individual websites to add framing protection via X-Frame-Options”, Stone said.