------------------------------ Date: Fri, 20 Nov 1998 12:27:16 +0000 (GMT) From: Lindsay.Marshall@newcastle.ac.uk Subject: Frames security hole There is a description and demo of a security hole with frames in web browsers at http://www.securexpert.com/framespoof/start.html - there is a version that works without javascript enabled as well. http://catless.ncl.ac.uk/Lindsay ------------------------------ I checked it out, and it's way cool. You open some frame-using target page, such as www.citibank.com, in Netscape or Internet Exploder, and cliok on their hack, and a new frame appears on the target page, replacing some frame that belonged there. They say they can fake out Netscape's "key" icon that claims that an https: page is secure, though I didn't have any handy frame-based https pages to test with. Technical Discussion: http://www.securexpert.com/framespoof/tech.html Some defenses http://www.securexpert.com/framespoof/defense.html ==> but the rel defense is getting your browser vendor to fix the browser. Meanwhile, don't trust any web page with frames with any information you care too much about. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639