- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Fri, 22 Jun 2007 16:33:02 -0400
- To: Mike Beltzner <beltzner@mozilla.com>
- CC: Rachna Dhamija <rachna.w3c@gmail.com>, public-wsc-wg@w3.org, Bill Doyle <wdoyle@mitre.org>
This would seem to be in scope. The only thing that separates this scenario from one where a user goes to an unknown site (e.g. by following an email link) is the user's state of mind. In both cases the user *somehow* gets to an untrusted site, but he or she thinks that the site is really trusted. I'm not sure how this really differs from a XSS attack. serge Mike Beltzner wrote: > Using Rachna's unpack (thanks for that!) the way I see it ... > > 1. is definitely out of scope. > > 2. is strange - the fact that the site is compromised makes me think > this is out of scope, but must any identity mechanisms that we do accept > as in scope protect users from these types of problems? > > 3. feels in scope to me, especially if the iframe is doing things where > a site which is trusted/identified in one way is loading content form a > site that is not trusted, and then presenting it as part of the trusted > site. I understand that this is a common practice amongst websites, but > we need some mechanisms for enabling it without enabling this type of > compromise as a side effect, IMO. Also, we need a pony. > > 4. the browser exploits that result in downloaded and installed malware > are in scope, but once infected, the effects of that malware are totally > out of scope. > > imo, fwiw, etc. > > cheers, > mike > ----- Original Message ----- > From: "Rachna Dhamija" <rachna.w3c@gmail.com> > To: "Bill Doyle" <wdoyle@mitre.org> > Cc: public-wsc-wg@w3.org > Sent: Tuesday, June 19, 2007 6:21:18 PM (GMT-0500) America/New_York > Subject: Re: iframe tag attack > > On 6/19/07, *Doyle, Bill* <wdoyle@mitre.org <mailto:wdoyle@mitre.org>> > wrote: > > This enterprising company seems to have improved productivity. > > New Web Exploit at 10,000 Machines and Growing, Security Company Warns > > Seems to be a user agent issue, is this in or out of scope? > > > If we unpack the attack, this question might be easier to answer: > 1) Attacker compromises a web server using malware > 2) User visits a legitimate, but compromised, website that includes > malicious iframe > 3) iframe causes browser to be redirected to a site with malicious > javascript > 4) malicious javascript detects the browser type and exploits browser > vulnerabilities to download code, which then downloads other code > (keyloggers, proxy, etc...) > > We have ruled 1 out of scope. How about the rest? > > I am hoping that we can use our list of attacks (i.e., the threat trees) > to come to a better understanding on what is in and out of scope. > > Rachna > > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Friday, 22 June 2007 20:33:21 UTC