Re: iframe tag attack from Serge Egelman on 2007-06-22 (public-wsc-wg@w3.org from June 2007)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Fri, 22 Jun 2007 16:33:02 -0400
To: Mike Beltzner <beltzner@mozilla.com>
CC: Rachna Dhamija <rachna.w3c@gmail.com>, public-wsc-wg@w3.org, Bill Doyle <wdoyle@mitre.org>
Message-ID: <467C31FE.8030904@cs.cmu.edu>

This would seem to be in scope.  The only thing that separates this
scenario from one where a user goes to an unknown site (e.g. by
following an email link) is the user's state of mind.  In both cases the
user *somehow* gets to an untrusted site, but he or she thinks that the
site is really trusted.

I'm not sure how this really differs from a XSS attack.

serge

Mike Beltzner wrote:
> Using Rachna's unpack (thanks for that!) the way I see it ...
> 
> 1. is definitely out of scope.
> 
> 2. is strange - the fact that the site is compromised makes me think
> this is out of scope, but must any identity mechanisms that we do accept
> as in scope protect users from these types of problems?
> 
> 3. feels in scope to me, especially if the iframe is doing things where
> a site which is trusted/identified in one way is loading content form a
> site that is not trusted, and then presenting it as part of the trusted
> site. I understand that this is a common practice amongst websites, but
> we need some mechanisms for enabling it without enabling this type of
> compromise as a side effect, IMO. Also, we need a pony.
> 
> 4. the browser exploits that result in downloaded and installed malware
> are in scope, but once infected, the effects of that malware are totally
> out of scope.
> 
> imo, fwiw, etc.
> 
> cheers,
> mike
> ----- Original Message -----
> From: "Rachna Dhamija" <rachna.w3c@gmail.com>
> To: "Bill Doyle" <wdoyle@mitre.org>
> Cc: public-wsc-wg@w3.org
> Sent: Tuesday, June 19, 2007 6:21:18 PM (GMT-0500) America/New_York
> Subject: Re: iframe tag attack
> 
> On 6/19/07, *Doyle, Bill* <wdoyle@mitre.org <mailto:wdoyle@mitre.org>>
> wrote:
> 
>     This enterprising company seems to have improved productivity.
>      
>     New Web Exploit at 10,000 Machines and Growing, Security Company Warns
>      
>     Seems to be a user agent issue, is this in or out of scope?
> 
> 
> If we unpack the attack, this question might be easier to answer:
> 1) Attacker compromises a web server using malware
> 2) User visits a legitimate, but compromised, website that includes
> malicious iframe
> 3) iframe causes browser to be redirected to a site with malicious
> javascript
> 4) malicious javascript detects the browser type and exploits browser
> vulnerabilities to download code, which then downloads other code
> (keyloggers, proxy, etc...)
> 
> We have ruled 1 out of scope.  How about the rest? 
> 
> I am hoping that we can use our list of attacks (i.e., the threat trees)
> to come to a better understanding on what is in and out of scope.
> 
> Rachna
> 
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Friday, 22 June 2007 20:33:21 UTC