Detailedseverity: LowDraft

CAPEC-467Cross Site Identification

Abstraction
Detailed
Status
Draft
Severity
Low

Description

An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).

Related weaknesses· 2

CWE-352CWE-359

Related attack patterns· 1

CAPEC-62 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessExposure of Private Personal Information to an Unauthorized Actorcwe-359100%live
WeaknessCross-Site Request Forgery (CSRF)cwe-352100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Cross Site Tracing
CAPEC
Cross Site Request Forgery
CAPEC
Generic Cross-Browser Cross-Domain Theft
CAPEC
Cross-Site Scripting (XSS)
CAPEC
Cross Frame Scripting (XFS)
CAPEC
Clickjacking
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.