0

I found one of the website is loading all shopping websites in their own domain.

Eg . www.domain.com having links like ,

www.shoppingsite1.com , www.shoppingsite2.com ,www.shoppingsite3.com ....

if we click on shoppingsite1.com it leads to www.domain.com/iframe/shoppingsite1

and loads the shoppingsite1.com inside this domain.

if some one purchase the product from shoppingsite1.com . Is it possible for domain.com to caputer all user data including payment credentials.

  • Bear in mind that this sort of configuration is widely required for 3rd-party payment systems. Payment processors will offer a checkout card details iframe to a different site in conjunction with tokenization to reduce the merchant's PCI scope. – gowenfawr Oct 07 '13 at 13:38

2 Answers2

1

No, as long as the CORS Access-Control-Allow-Origin is at its default restrictive value. This prevents the outer website from accessing the framed website via Javascript/etc.

CSRF attacks are still possible, though most sites protect themselves from this.

Note that you should be sure that the iframe is indeed on the correct domain (right click>view frame info on chrome) and is not being phished.

Manishearth
  • 8,237
  • 5
  • 34
  • 56
1

There are the issues Manishearth raised but also the possibility that as the site is loaded in an iframe they could overlay their own text fields over credit card input fields for example.

It's like a slight variation of a clickjacking attacking and whilst the host site isn't stealing data from the site they are framing, they're just tricking you into inserting it into the host site instead.

Scott Helme
  • 3,178
  • 3
  • 21
  • 32