Phishing inside an iframe

Working on a new version of the Mendeley Web Importer bookmarklet recently, I took a look at a number of similar web importing tools (bookmarklets and extensions) out there, e.g. Pocket, Evernote, Instapaper.

Evernote is a great product. I am a massive fan, and their web clipper is great. However, I am not keen on their decision to enable login inside the bookmarklet iframe:

I have created this simple demo page to illustrate why. Try saving the page using the Evernote bookmarklet.

There is no clever cross domain iframe hackery involved. All I am doing is checking for the Evernote iframe, and setting its src attribute to point instead to my faked login page which can potentially be used to capture victims' logins - all with just a tiny bit of basic Javascript.

I do not want to come across as an arsehole highlighting this potential security issue. What I really want to do is to remind developers out there the importance of the browser's address bar. Internet security is built upon SSL, and when the https:// and the hostnames are hidden from the users, you can be putting your users at risk. Of course, like all phishing attacks, you cannot stop malicious attackers from faking your login page, but the point is, by avoiding such bad practice, you are making your users much less susceptible to such attacks.


Popular Posts