Cross-Site Frame Counting alludes to the technique of determining the total number of windows references (iframes) from external websites. While it is not a vulnerability in itself, as I will demonstrate in the following example, it can potentially lead to the exposure of private information if the number of iframes loaded on the target website varies depending on certain conditions.
I would like to express my sincere appreciation to the GitHub team for their feedback during the creation of this article. Although I am unable to disclose this report in Hackerone due to it being an internal duplicate, GitHub willingly reviewed a preview of my blog and provided feedback.
In the next section, I will illustrate how this technique, known as cross-site frame counting, could have potentially exposed your private GitHub repositories.
To identify this kind of attacks, we’ll apply the following methodology:
GitHub utilizes custom VS-Codespaces to enhance the code editing experience for repositories. The URL pattern to access and edit these files back in the day follows this pattern:
During my testing, I discovered an interesting behavior related to the number of iframes loaded, which led to the following observations:
When 2 iframes are loaded, it indicates that the file does not exists, but the private repository does. It happens due to the Get Started section was being embebed within an iframe.
- If only 1 iframe is loaded, then the file exists in the repository.
- When 0 iframes are loaded, then the repository does not exists.
With that conditions in mind, I coded a PoC as an example of a potential attacker website to show how to expose private repositories and files in a private github repository:
This was reported at the end of last year and patched now. Here’s a video of the attack in action:
While Cross-Site Frame Counting may not be a new technique, in fact, is a quite old vulnerability, and the lack of disclosed reports about this behavior makes it an interesting topic to bring attention to in a major program like GitHub.
I’m not sure who was the first researcher in talking about this issue, so, for references, I will cite the XSLeaks Wiki.
To mitigate the risk of data exposure through Cross-Site Frame Counting, it is crucial to load the same number of iframes consistently, regardless of any state. By ensuring a uniform iframe loading behavior, the application can prevent potential information leakage that could occur due to variations in the number of iframes.