Inline HTML frames (IFRAMEs) are used fairly extensively by a number of sites to accomplish a variety of tasks, from facilitating pre-XMLHttpRequest browser-server communication channel, to presenting advertisements, posts, images, to tracking users.

Firefox allows third-party sites to replace IFRAMEs embedded on unrelated webpages through the use of document.write() method. This problem was discovered back in 2006 and meant to be addressed by this Bugzilla entry, but a distinct attack against about:blank frames, as well as all other IFRAMEs during their load stage, is still possible.

Whenever document.write() is employed, frame data origin is updated to that of the attacking party, and as such, direct interaction with the rest of the attacked webpage is not possible. Still, a number of attacks can be carried out - from displaying disruptive or misleading contents in the context of an attacked site, to intercepting keystrokes or tracking other aspects of user behavior.

Click below to run a simple demonstration of keystroke interception. Click here for an example that does not rely on about:blank frame.

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.