[Webkit-unassigned] [Bug 15936] New: Overly permissive frame navigation allows password theft
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Nov 10 16:45:31 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=15936
Summary: Overly permissive frame navigation allows password theft
Product: WebKit
Version: 525+ (Nightly build)
Platform: All
URL: http://crypto.stanford.edu/~abarth/research/webkit/adsen
se.html
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Frames
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hk9565 at gmail.com
CC: webkit at collinjackson.com
WebKit's frame navigation policy is overly permissive, allowing a web attacker
to steal passwords from many sites including Google and several banks.
WebKit allows any page to navigate subframes of any other page. If a site
embeds a password field in an frame, a malicious web site operator can navigate
that frame to his site and steal user passwords.
The steps below can be used to reproduce the issue:
1) Navigate to http://crypto.stanford.edu/~abarth/research/webkit/adsense.html
2) Click "Open AdSense in a new window."
3) Click "Navigate the AdSense login frame."
4) Notice the password field in the AdSense window has been replaced by content
of the attackers choice. The address bar reads "www.google.com" and the lock
icon is intact.
The frame navigation policy in Firefox 2 was developed in 1999 in response to a
similar attack against CitiBank [1]. Their policy is as follows:
* Allow the navigation if the source and target frames contained in the same
window.
* Allow if the source frame can script the target frame or one of its ancestors
in the frame hierarchy.
Internet Explorer 7 is more strict than Firefox 2. For example, IE7 forbids
the navigation from the lower frame in [2] whereas Firefox 2 permits it. From
what we can tell, IE7 is enforcing the following policy:
* Allow if the source frame can script the target frame or one of its
ancestors in the frame hierarchy.
The HTML5 spec [3] is the most strict. From our reading, it forbids both of
the navigations in [4], whereas all the browsers we've tested allow both.
We recommend WebKit implement the same frame navigation policy as Internet
Explorer 7:
* Allow if the source frame can script the target frame or one of its
ancestors in the frame hierarchy.
References:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=13871
[2] http://crypto.stanford.edu/~abarth/research/nav/frame1.html
[3] http://www.whatwg.org/specs/web-apps/current-work/#the-rules
[4] http://xenon.stanford.edu/~abarth/research/nav/frame1.html
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list