Feeds

Microsoft SharePoint exposes privates in sniffing hack

You've been X-Framed

The Essential Guide to IT Transformation

Updated Sensitive information held in content management system Microsoft SharePoint is vulnerable to mining as the result of a newly discovered attack, security researchers warn.

So-called frame-sniffing attacks involve the use of a hidden HTML frame to load a target website inside the attacker's malicious webpage. Using the tactic, attackers would be able to read information about the content and structure of the framed pages.

Context Information Security said the hack relies on tricking a content management system user into browsing a webpage controlled by an attacker, possibly in response to a spam email. If the user leaves the tab open then the attacker can use frame-sniffing to run searches on SharePoint just like an internal user.

The security consultancy warns that the approach bypasses browser security restrictions that are meant to prevent webpages directly reading the contents of third-party sites loaded in frames. Guarding against the attack involves tweaking the X-Frame-Options on the server, so that browsers disallow framing. However this option is not applied by default on current versions of Microsoft SharePoint.

"Using frame-sniffing it's possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query,” explained Paul Stone, senior security consultant at Context. "For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information."

Context researchers tested SharePoint 2007 and 2010 installations. They discovered that by default, neither version of the enterprise server software sends the X-Frame-Options header that instructs web browsers to disallow framing. As a result, firms that rely on both flavours of the enterprise content management systems are vulnerable to both frame-sniffing and click-jacking. Attacks are possible if the URL of a SharePoint installation is known, even if it is only accessible on an intranet.

After reviewing the vulnerability, Microsoft said it planned to change the X-Frame-Options in the next version of its content management software:

We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame-Options in the next version of SharePoint.

Frame-sniffing can also be used to harvest confidential data from public websites, such as LinkedIn, that fail to protect against framing, according to security researchers at Context:

An attacker using a malicious website could build a profile of visiting users by piecing together small pieces of information leaked from different websites. For example, the product IDs of previously bought items from a shopping site could be combined with a person’s user ID from a social networking site.

LinkedIn said it was investigating the issue. We'll update this story as and when we hear more.

A blog post by Context explains the frame-sniffing attack in greater depth and outlines possible defences against potential attack, by adding the X-Frame-Options header. The post features a video that shows an attacker extracting sensitive information from a fictional corporate SharePoint installation.

On casual glance the attack might resemble a cross-site scripting flaw of the type that allows content under the control of hackers to be displayed in the context of a vulnerable website.

Not so.

"It’s not a cross-site scripting attack, as no code is injected into the site (and it’s not an input validation flaw, like XSS or SQL injection)," Stone told El Reg. "It’s an information leak that allows certain bits of data to be read. Sites are ‘vulnerable by default’ in that they don’t have to do anything special in order for this attack to work – if they don’t protect against click-jacking then they’re also vulnerable to frame-sniffing."

El Reg contacted LinkedIn about the attacks. A spokesperson reckons punters might have to swap their browser:

We are aware of an issue with certain internet browsers that can enable a hacker to access information held on private Microsoft SharePoint sites, as well as mine data from public sites, by attempting to guess an individual’s personal information in “framesniffing” attacks. Our advice for concerned LinkedIn members is to contact their internet browser provider to ensure they are protected against such an attack or use an alternative browser.

®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.