Can malicious sites use session data from iframes?

Question

Let's say I have logged in to my site Genuine Site. Malicious Site has an iframe embedding Genuine Site. Will the embedded iframe in the Malicious site have access to my login credentials from Genuine Site which I have logged in, in another tab?

The user has no knowledge of the iframe hidden in the Malicious Site. It is a hidden DOM.

Should this be possible, the Malicious Site can now programmatically issue requests with proper credentials as the iframe has access to the session data. How should I rectify this issue?

yes, the embedded frame will have access, but no the top page can't interact with it — dandavis, Mar 20 '18 at 07:24

score 5 · Accepted Answer · answered Mar 20 '18 at 05:55

No. A malicious site cannot interact with its iframes which point to other domains. It can only issue GET and POST requests without reading the corresponding responses, like any other web page opened in the same browser. A feasible attack would instead be clickjacking.

This question is a possible duplicate of the question Javascript and same origin iframes.

Can malicious sites use session data from iframes?

1 Answers1