back to article Microsoft SharePoint exposes privates in sniffing hack

Sensitive information held in content management system Microsoft SharePoint is vulnerable to mining as the result of a newly discovered attack, security researchers warn. So-called frame-sniffing attacks involve the use of a hidden HTML frame to load a target website inside the attacker's malicious webpage. Using the tactic, …

COMMENTS

This topic is closed for new posts.
  1. ElReg!comments!Pierre
    Joke

    Nothing to hide...

    ... no reason not to use MS SharePoint!

  2. Steve Davies 3 Silver badge
    Pint

    At last

    a method to get at all that data that goes into SharePoint and is never seen again!

    Beer, I want to raise my glass of T.E.A to the guys who did this.

  3. Tasogare
    Thumb Down

    A practical solution:

    Don't use sharepoint. Ever.

    Because it sucks.

  4. dssf

    Suppose it goes beyond Sh(c)are point...

    Suppose that tactic:

    "Context Information Security said the hack relies on tricking a content management system user into browsing a webpage controlled by an attacker, possibly in response to a spam email. If the user leaves the tab open then the attacker can use frame-sniffing to run searches on SharePoint just like an internal user."

    works if i simply browse to a page, but leave the tab open -- in either my computer's browser or my handheld device/phone...

    I think I may have to make sure more diligently than in the past that when I open tabs from non-related sites, I close the others, then flush the cookies, then re-spawn the browser. not efficient, but....

    Wait... that I what I'm hoping to achieve when running two, *different* browsers...

    I think if it works (whether it is a new exploit or has been since day one of HTML, then users may want to think twice about having multiple browser tabs open. It's bad enough poor sandboxing and the risk of cookies being read by other cookies' masters' sleuthing code.

    1. ElReg!comments!Pierre

      Re: Suppose it goes beyond Sh(c)are point...

      "I think if it works"

      It does. It is widely advertised a mitigating measure against a wide range of browser-based attacks. On most machines I have 3 different browsers: 1 for banking, 1 for general browsing, and 1 for potentially dodgy stuff (the latest being usually something small and JS-resistant such as w3m, websurf, or the like).

  5. Mikel

    It's in the name

    Why do you think they call it "Sharepoint"?

  6. T J
    FAIL

    So....

    .....has anyone ever, EVER, worked out exactly what Sharepoint does? Or what its good for? Or why they didn't build the functionality into IIS (yes ok we know its because IIS is a pile of @)$(@*#) but lets all pretend)? Or what it does that couldnt be done by a simple web interface? Or why you'd pay for it????

  7. JP 6
    FAIL

    Linked in replied?

    "LinkedIn said it was investigating the issue."

    Was that from an email that said:

    "Thanks for contacting us and we’ll get back to you as soon as possible.

    Thanks for informing us of this situation. We will take the appropriate action based on the results of our investigation."

    I get one every time I am suggested to link to a dead person. (Jesus Christ*, Steve Jobs, etc.)

    Sometimes they take action but it depends on who gets the email. While they took Jobs off of linkedin, they still want proof that Leon Trotsky (listed as "Party Commissar at Soviet Socialist Republic"**) is not a valid member. (on linkedin at http://www.linkedin.com/pub/leon-trotsky/7/620/bba )

    *He died once and that counts.

    ** A title he didn't have while alive and didn't have after he died.

    1. markoer
      Happy

      Re: Linked in replied?

      Apparently they remove Leon Trotsky, but that was funny enough :-)

This topic is closed for new posts.

Other stories you might like