This vulnerability allows attackers to inject malicious code into users’ websites and steal cookies, session and login credentials, using a XSS flaw.
In order to demonstrate the attack, Deusen exploits the vulnerability violating the Same Origin Policy on the Daily Mail’s website, and injects the words “Hacked by Deusen” on the website.
The exploit code appears to use iframes to tamper with IE’s support of the Same Origin Policy.
Obviously, the exploit can be used (for example) on a bank’s website: the attacker can inject a form asking the user for private information.
Once the attacker’s code bypasses the SOP, it has access to session cookies.
Now, an attacker could access sensitive information normally restricted to the target website, including credit card data, browsing histories, and other confidential data.
The proof-of-concept can be tested HERE
Microsoft is working on a fix for the vulnerability:
“We are not aware of this vulnerability being actively exploited and are working on a security update”
(a Microsoft representative via email)
The good news is that websites can protect themselves from being targeted through this vulnerability by using a security header called X-Frame-Options with the “deny” or “same-origin” values, which prevents other sites from loading them in iframes. This was noted by both Folwer and Daniel Cid, the CTO of Web security firm Sucuri.