[Webkit-unassigned] [Bug 15936] New: Overly permissive frame navigation allows password theft

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Nov 10 16:45:31 PST 2007 

http://bugs.webkit.org/show_bug.cgi?id=15936

           Summary: Overly permissive frame navigation allows password theft
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: All
               URL: http://crypto.stanford.edu/~abarth/research/webkit/adsen
                    se.html
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Frames
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hk9565 at gmail.com
                CC: webkit at collinjackson.com


WebKit's frame navigation policy is overly permissive, allowing a web attacker
to steal passwords from many sites including Google and several banks.

WebKit allows any page to navigate subframes of any other page.  If a site
embeds a password field in an frame, a malicious web site operator can navigate
that frame to his site and steal user passwords.  

The steps below can be used to reproduce the issue:

1) Navigate to http://crypto.stanford.edu/~abarth/research/webkit/adsense.html
2) Click "Open AdSense in a new window."
3) Click "Navigate the AdSense login frame."
4) Notice the password field in the AdSense window has been replaced by content
of the attackers choice.  The address bar reads "www.google.com" and the lock
icon is intact.

The frame navigation policy in Firefox 2 was developed in 1999 in response to a
similar attack against CitiBank [1].  Their policy is as follows:

* Allow the navigation if the source and target frames contained in the same
window.
* Allow if the source frame can script the target frame or one of its ancestors
in the frame hierarchy.

Internet Explorer 7 is more strict than Firefox 2.  For example, IE7 forbids
the navigation from the lower frame in [2] whereas Firefox 2 permits it.  From
what we can tell, IE7 is enforcing the following policy:

* Allow if the source frame can script the target frame or one of its
ancestors in the frame hierarchy.

The HTML5 spec [3] is the most strict.  From our reading, it forbids both of
the navigations in [4], whereas all the browsers we've tested allow both.

We recommend WebKit implement the same frame navigation policy as Internet
Explorer 7:

* Allow if the source frame can script the target frame or one of its
ancestors in the frame hierarchy.

References:

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=13871
[2] http://crypto.stanford.edu/~abarth/research/nav/frame1.html
[3] http://www.whatwg.org/specs/web-apps/current-work/#the-rules
[4] http://xenon.stanford.edu/~abarth/research/nav/frame1.html


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list