Iframe Security Concerns for the site receiver

Posted on 2009-04-23
Medium Priority
Last Modified: 2016-03-23
I have read many conflicting information concerning security and the use of iframes. However most of the questions have been from the site wishing to connect to another using an iframe. My question is in the reverse, meaning I have a site that is SSL based and is part of an application process for my company, so we ask many questions on this site such as the persons Social Security Information, Date of Birth, etc. All stuff that if compromised would be ripe for Identiy theft. We have many requests from 3rd party partners to include our site within there site using an Iframe to our site. My concern is that this might open up a security problem. My question, is this a valid concern? More specifically can the site page that is hosting our page in thier iframe somehow scrape out this confidential information from our page and database for unknown puposes?, or can a hacker to thier site somehow can access to the information on our page via the iframe from the partner site. These concerns are usually not an issue as normally the person inputing the confidential information on our site is directly connected via thier browser to our site and we use SSL to secure the session. If my concerns are invalid can you please explain why. If they are valid can you please give me some amunition to use when my boss asks me why we shouldnt do this for our third party partners.
Question by:smithcf
  • 2
LVL 23

Accepted Solution

Mohamed Osama earned 2000 total points
ID: 24221034
IMO, since the 3rd party is not directly connected to your database, and you are just publishing an IFrame which will just mean that your users will be connected to you supposedly, I think the risk is limited.
However I can see this going wrong is in two cases :-
- if the 3rd party was compromised, the IFrame modified to Phish user information somehow: this is a structured attack & the only way to address it is by ensuring the 3rd party have solid information about information security & cyber threats, also that they are adopting proper security practices, if this is a business partnership, you should ask them for evidence related to completion of security assessment reports, etc..
- If your own website was somehow vulnerable: shouldn't make a difference if it was exposed through he IFrame or directly from your website, again the proper ay to address this is by being proactive with regards to InfoSec , run vulnerability assessment on both the application level against threats like (SQL Inection, Cross site scripting, etc..) , as well as a healthy patch management process for Infrastructure components (IIS,SQL,etc..), proper Firewall & IPS/IDS in place, strong password policy,etc.., you will also need to be on top of vulnerabilities by making sure you are running the latest updates from vendors of 3rd party copoenents.
Sometimes it will all sound like too much to do & too much information, but this is the thing about Security, it is not an Ad-Hoc task , but more of an ongoing process.
hope this helps.


Author Closing Comment

ID: 31574041
Your comment about the iframe being modified to Phish user information seems to also suggest that a through due diligence needs to be done on the 3rd party in this case as they themshelves might be able to setup the Iframe in such away to do the phising. Is this a correct assumption? You see we are not only concerened about fruad from the public as a whole, but in our industry sometimes the fraud comes from our partner sites, who go bad.
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24225575
I did not realize at the time of my reply, that there may be a conflict of interest between partners.
 if this indeed is the case, then your concern is valid, after all you can not control the content of a website unless it is run by you.
perhaps a simple link exchange will be a good compromise.
Good luck with your projects.


Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question