Side Channel Authentication Token Leakage

In older versions of Firefox (applies to 2013 Firefox browsers and older) it is possible to iFrame view-source:https://target.com. An attacker can do this on a page under their control and then extract the text from it by measuring the timing difference for different frames. This text includes anything visible on the page, such as user data but also tokens, that are hidden in the client side code.

What can happen?

view-source: of a web page is the client side code of it. This exposes any sensitive personal credentials available to the user, like the username or e-mail address. In addition to that, CSRF tokens would also be exposed, allowing the attacker to conduct CSRF attacks.

The impact of CSRF attacks is explained in more detail here.

Remediation

This attack only works in a limited set of web browsers, for example some outdated versions of Firefox, and it is therefore understandable if you do not consider this a security threat. In that case, please mark this as an Accepted Risk and it will be automatically filtered out in the future.

However, the remediation for this is the same as for Clickjacking, so see that article for guide on how to protect against it.

If you have any questions, please reach out to support@detectify.com and we will help you out!