SharePoint Users Beware Framesniffers

May 10, 2012

Security is a topic which is getting increased attention, particularly in the SharePoint community. I want to call attention to  “Microsoft SharePoint and LinkedIn Data at Risk from Framesniffing Attacks” from ITWire.com. The Safari, Chrome, and Internet Explorer Web browsers are inadvertently allowing hackers to steal information from private Microsoft SharePoint Web sites and mine data from public Web sites like Linked In.

A Framesniffing Attack occurs when a hidden HTML frame loads a target Web site in the hacker’s Web page to mine information about the content and structure of the framed pages. The hacker can then overcome browser securities and read the sensitive information.

As explained in the ITWire.com article:

“Paul Stone, senior security consultant at Context said, “Using Framesniffing, it’s possible for a malicious Web page to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query. For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information.”

The problem deals with the X-Frame-Options header that turns off the Web browser framing feature and in SharePoint it is not turned off by default. Microsoft has stated in the next SharePoint version they will set the X-Frame options, but until then, SharePoint gurus, it is up to you to find a solution. If your organization discovers a way to keep its information from prying eyes, you will still need a way to find the data.

Search Technologies implements solutions which are secure and do not impede findability or system performance. For more information, navigate to www.searchtechnologies.com.

Iain Fletcher, May 10, 2012

SearchTechnologies

Comments

Comments are closed.

  • Archives

  • Recent Posts

  • Meta