Frames security hole
Bill Stewart
bill.stewart at pobox.com
Sun Nov 29 21:48:02 PST 1998
------------------------------
Date: Fri, 20 Nov 1998 12:27:16 +0000 (GMT)
From: Lindsay.Marshall at newcastle.ac.uk
Subject: Frames security hole
There is a description and demo of a security hole with frames in web
browsers at http://www.securexpert.com/framespoof/start.html - there is
a version that works without javascript enabled as well.
http://catless.ncl.ac.uk/Lindsay
------------------------------
I checked it out, and it's way cool. You open some frame-using target page,
such as www.citibank.com, in Netscape or Internet Exploder,
and cliok on their hack, and a new frame appears on the target page,
replacing some frame that belonged there. They say they can fake out
Netscape's "key" icon that claims that an https: page is secure,
though I didn't have any handy frame-based https pages to test with.
Technical Discussion: http://www.securexpert.com/framespoof/tech.html
Some defenses http://www.securexpert.com/framespoof/defense.html
==> but the rel defense is getting your browser vendor to fix the browser.
Meanwhile, don't trust any web page with frames with any
information you care too much about.
Thanks!
Bill
Bill Stewart, bill.stewart at pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
More information about the cypherpunks-legacy
mailing list