4

I'm working for a company that wants to allow anyone to embed an iframe in which users can buy products on potentially any site. So it would be a typical use case for users to enter in their credit card info into this iframe.

I'm aware that clickjacking is a typical attack vector for this sort of set up. However, that vector seems like it's more about inducing a victim to click a button inside an iframe more than inducing them to take a complex action like completing a checkout procedure.

What I need to know before I feel comfortable implementing this iframe:

  • Is this setup still vulnerable to clickjacking?
  • Is it possible to read information entered into an iframe like this through a keylogger or invisible divs floating on top of the iframe?
  • What other potential attack vectors are there in a setup like the one I described?
  • Are there additional security considerations I should be thinking about?
clarkatron
  • 143
  • 3
  • 1
    "that wants to allow anyone to embed an iframe in which users can buy products on potentially any site." - Could you elaborate a bit your setup? Would anyone be able to simply embed your payment service in an iframe? What do you mean by "buy products on potentially any site"? – Arminius Jan 03 '18 at 23:00
  • 1
    Sure! Any site could embed this iframe. A user would be able to buy our products through this iframe. Does that clear it up? – clarkatron Jan 03 '18 at 23:03

1 Answers1

4

Is it possible to read information entered into an iframe like this through a keylogger or invisible divs floating on top of the iframe?

Technically, the parent document can't capture a user's interactions with the iframe.1 But your main problem here is that the user has no way of verifying that the box they are interacting with is actually an iframe that is displaying your actual shop and not a copy on an entirely different domain. (A simple CSS overlay over the real shop iframe would work, too.)

On a potentially untrusted site, you simply can't establish a trusted iframe that users can safely interact with. Your browser's security indicators (displaying the full domain name and the green lock icon) only work for the top-level document. That's why authentication/payment providers use redirects to have users authenticate/checkout on a top-level document that they can trust instead of inside a nested frame.

1That is, a keyboard event only goes either to the parent document or the iframe. But it can't be captured by the parent and still be fired inside the iframe.

Arminius
  • 43,922
  • 13
  • 140
  • 136