Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Side Channel Authentication Token Leakage

Last Updated: Sep 12, 2017 09:55AM CEST

In older versions of Firefox it is possible to iFrame view-source:https://target.com. An attacker can do this on a page under their control and then extract the text from it by measuring the timing difference for different frames. This text includes anything visible on the page, such as user data but also tokens, that are hidden in the client side code.

What can happen?

view-source: of a web page is the client side code of it. This exposes any sensitive personal credentials available to the user, like the username or e-mail address. In addition to that, CSRF tokens would also be exposed, allowing the attacker to conduct CSRF attacks.

The impact of CSRF attacks is explained in more detail here.

Remediation

This attack only works in a limited set of web browsers, for example some outdated versions of Firefox, and it is therefore understandable if you do not consider this a security threat. In that case, please mark this as an Accepted Risk and it will be automatically filtered out in the future.

However, the remediation for this is the same as for Clickjacking, so see that article for guide on how to protect against it.

If you have any questions, please reach out to support@detectify.com and we will help you out!

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete