Consider a user that has an open session to a legitimate site with a password on
ID: 653438 • Letter: C
Question
Consider a user that has an open session to a legitimate site with a password on it. This page has no anti-CSRF token.
A hacker creates a webpage with 2 hidden iframes. One iframe does a GET on the page with the password and sends this password via html5 windows.postMessage() to another iframe (sourcing the attacker's site) which takes this password and sends it off to the hacker's site via a query parameter in an http get to a hacker's web service.
Via phishing attack, the hacker entices user with open session to click on the link for his webpage having these 2 iframes and steals the password.
Is this attack possible?
Explanation / Answer
One iframe does a GET on the page with the password and sends this password via html5 windows.postMessage() to another iframe (sourcing the attacker's site) which takes this password and sends it off to the hacker's site via a query parameter in an http get to a hacker's web service.
postMessage is done with Javascript. This means one can not force a postMessage with just a CSRF attack unless the victim page is explicitly designed in a way, that arbitrary postMessage calls to cross-origin pages can be triggered by a simple POST or GET request. Instead the attacker would need the ability to inject script to trigger a postMessage, i.e. it needs Cross-Site-Scripting (XSS). But if XSS is possible there is usually no need to make it overly complex by using postMessage.