Description

It is possible to determine from an external site whether or not a user is logged into the platform by counting the frames loaded when opening the page. The user must have logged into a site with a malicious frame counting script.

Impact

Determine if a specific user has access to the platform and thus collect targets for spearphishing attacks.

Recommendation

Load the same amount of frames in all application load cases.

Threat

Attacker on the Internet sending malicious links.

Expected Remediation Time

⏱️ 120 minutes.

Requirements

Fixes