FBML was deprecated and Facebook iframe tabs were introduced in Feb'11. As expected it caught significant traction from the developer and security researchers alike. While developers applauded introduction of existing mechanisms like iframes that enable writing 3rd party apps without any learning curve that traditionally existed with Facebook, the security community alarmed concerns over the viral nature of Facebook that combined with iframes further exacerbated their evil nature. Below is a screenshot of Levi's iframe tab on FB.
I love iframes. Haven't they existed there would have been shouts of killing HTTP and inventing a new protocol to support client side mashups. So in a sense, iframe is a blessing that enabled an unexpected requirement by chance although with some security implications. Another assurance on my belief that these great technologies - HTTP, iframe and JS are there to stay for a very very long time, if someone still doubted. I also believe the new specifications HTML5 Sandbox and ES5 are moving in the right direction to enable secure mashups - 1 day when those (IE6) are buried!
Back to the topic. Nothing new but worth visiting what all an attacker could technically exploit on FB iframe tabs.
1. Malicious Redirection via top.location = http://s0m3phishing.com, as seen in the video below. For demo I perform a redirect to http:///yahoo.com
2. Fake Login / Malicious UI via
3. Drive-by Downloads/ Install Malware via Content-Disposition: attachment
4. Denial of Service (DoS) and Noise by creating infinite alert()and while loops. This particularly is an issue not concerning many, including the security community, but for business it is, as an attacker can impact user engagement and experience which are of prime importance in this business.
5. Browser History Sniffing/Mining via getComputedStyle()as highlighted in the screenshot below
6. Referrer Leak like Referrer: http://
7. LAN Scanning via JavaScript. A good write up on this is available here
Posts
Nice post
ReplyDeleteI appreciate this
Safety Is Number One Priority Buy Safety Products Online shop | Hodexo
Hodexo Digita India's
Digita India's Shooping Login It's Free And Alwyas
Digita India's Industrial
Safety Equipments
This comment has been removed by the author.
ReplyDeleteThis is a really well written article. I’ll be sure to bookmark it and come back to read extra of your helpful info. Thank you for the post. I will certainly comeback.
ReplyDeleteខ្លា នាគ Online
Slot เว็บ ตรง มองดูไม่เสริมเติมกว่า PG SLOT 2022 เว็บของพวกเรา นําเสนอเกมสล็อตที่นานัปการซึ่งจะทําให้ท่านเพลินใจได้นานหลายชั่วโมง นี่เป็นคุณประโยชน์บางประการของการเล่นเกม
ReplyDeleteInstagram Takipçi Satın Al
ReplyDeleteToptan Telefon Kılıfı
Resimli Magnet
Silivri Çatı Ustası
Çerkezköy Çatı Ustası
25J1
amazing write , keep posting and if you are intresting in big data coder and code developer then checkout java classes in satara
ReplyDeleteวิธีใช้ spaceplus 888 ควาสำหรับครอบครัวที่มีพื้นที่ใช้สอยจำกัด การใช้งาน spaceplus 888 PG SLOT รวดเร็วเป็นทางเลือกที่ดีเพื่อปรับปรุงคุณภาพชีวิตของครอบครัวได้อย่างมีประสิทธิภาพ
ReplyDelete