Iframe Security Concerns for the site receiver

Posted on 2009-04-23
Last Modified: 2016-03-23
I have read many conflicting information concerning security and the use of iframes. However most of the questions have been from the site wishing to connect to another using an iframe. My question is in the reverse, meaning I have a site that is SSL based and is part of an application process for my company, so we ask many questions on this site such as the persons Social Security Information, Date of Birth, etc. All stuff that if compromised would be ripe for Identiy theft. We have many requests from 3rd party partners to include our site within there site using an Iframe to our site. My concern is that this might open up a security problem. My question, is this a valid concern? More specifically can the site page that is hosting our page in thier iframe somehow scrape out this confidential information from our page and database for unknown puposes?, or can a hacker to thier site somehow can access to the information on our page via the iframe from the partner site. These concerns are usually not an issue as normally the person inputing the confidential information on our site is directly connected via thier browser to our site and we use SSL to secure the session. If my concerns are invalid can you please explain why. If they are valid can you please give me some amunition to use when my boss asks me why we shouldnt do this for our third party partners.
Question by:smithcf
    LVL 23

    Accepted Solution

    IMO, since the 3rd party is not directly connected to your database, and you are just publishing an IFrame which will just mean that your users will be connected to you supposedly, I think the risk is limited.
    However I can see this going wrong is in two cases :-
    - if the 3rd party was compromised, the IFrame modified to Phish user information somehow: this is a structured attack & the only way to address it is by ensuring the 3rd party have solid information about information security & cyber threats, also that they are adopting proper security practices, if this is a business partnership, you should ask them for evidence related to completion of security assessment reports, etc..
    - If your own website was somehow vulnerable: shouldn't make a difference if it was exposed through he IFrame or directly from your website, again the proper ay to address this is by being proactive with regards to InfoSec , run vulnerability assessment on both the application level against threats like (SQL Inection, Cross site scripting, etc..) , as well as a healthy patch management process for Infrastructure components (IIS,SQL,etc..), proper Firewall & IPS/IDS in place, strong password policy,etc.., you will also need to be on top of vulnerabilities by making sure you are running the latest updates from vendors of 3rd party copoenents.
    Sometimes it will all sound like too much to do & too much information, but this is the thing about Security, it is not an Ad-Hoc task , but more of an ongoing process.
    hope this helps.


    Author Closing Comment

    Your comment about the iframe being modified to Phish user information seems to also suggest that a through due diligence needs to be done on the 3rd party in this case as they themshelves might be able to setup the Iframe in such away to do the phising. Is this a correct assumption? You see we are not only concerened about fruad from the public as a whole, but in our industry sometimes the fraud comes from our partner sites, who go bad.
    LVL 23

    Expert Comment

    I did not realize at the time of my reply, that there may be a conflict of interest between partners.
     if this indeed is the case, then your concern is valid, after all you can not control the content of a website unless it is run by you.
    perhaps a simple link exchange will be a good compromise.
    Good luck with your projects.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now