Data mining with HTML anchors
Security researchers from the consultancy firm Context have demonstrated that HTML anchors can be used by attackers to harvest a web page visitor's private data. At first sight, the "framesniffing" technique appears to be a bit of a joke: attackers can potentially use the position of an iFrame's scroll bar to extract sensitive information.
To do this, they lure their victims to a page that is controlled by the attackers and which loads another page in an invisible iFrame. This page could be a confidential intranet page or could contain private data in a social network. The attackers use a specific anchor tag like http://en.wikipedia.org/wiki/Web_browser#History to embed the page. If the scroll bar jumps to the anchor after the page has been loaded, the attackers know that an anchor or HTML element with this ID exists on the page.
If the attackers are aware of the structure of a page they can, little by little, use these pieces of information to access the data they're after. For example, they could launch a targeted search query and use the anchors they find in the results page to establish how many hits were returned by the query. To demonstrate the scope of the problem, the Context researchers used a script that unlawfully extracts user data from the LinkedIn business platform.
However, a little more creativity will allow more complex attacks to be carried out: in a video, the security experts demonstrate how they extracted the details of a fictitious company take-over from a SharePoint installation on an intranet. Such an attack may take fifteen minutes, said the researchers. During that time, the victim only needs to keep open the specially crafted page.
Normally, the same-origin policy prevents a script from domain A (the attacker's page) from accessing data on domain B (the embedded page). However, only Firefox users are currently protected against framesniffing. The developers have released an update to ensure that framesniffing is no longer possible. Web page administrators can protect their visitors by adding the X-Frame-Options field to the HTTP header. This field prevents the browser from opening a page in an iFrame.