[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Frames security hole




	------------------------------
	Date: Fri, 20 Nov 1998 12:27:16 +0000 (GMT)
	From: [email protected]
	Subject: Frames security hole

	There is a description and demo of a security hole with frames in web
	browsers at http://www.securexpert.com/framespoof/start.html - there is
	a version that works without javascript enabled as well.

	http://catless.ncl.ac.uk/Lindsay
	------------------------------

I checked it out, and it's way cool.  You open some frame-using target page,
such as www.citibank.com, in Netscape or Internet Exploder,
and cliok on their hack, and a new frame appears on the target page,
replacing some frame that belonged there.  They say they can fake out
Netscape's "key" icon that claims that an https: page is secure,
though I didn't have any handy frame-based https pages to test with.

Technical Discussion: http://www.securexpert.com/framespoof/tech.html
Some defenses http://www.securexpert.com/framespoof/defense.html
==> but the rel defense is getting your browser vendor to fix the browser.
Meanwhile, don't trust any web page with frames with any
information you care too much about.
				Thanks! 
					Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639