Timeline for How does collecting sensitive data using iframes increase security?
Current License: CC BY-SA 4.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 24, 2021 at 13:18 | comment | added | Margaret Bloom | @Acorn An evil merchant must still load the processor's iframe content or it will be too obvious it's not a real merchant. It could sniff and resell your data but the iframe prevent that. A compromised merchant doesn't even need to use iframes and not being any interaction with the processor at all it makes no sense to ask how a processor protect themself from such an attack. | |
| Apr 24, 2021 at 13:18 | comment | added | Margaret Bloom | @Acorn Using an iframe shift the access of sensitive data from the merchant to the processor (besides being the right technical way to include a full third-party page in your page. Think of library conflicts). This is what the processors are concerned about. A compromised merchant can be turned into a phishing page but that's a different attack that can't be prevented (it exploits humans). Data can't cross iframes unless in a form of intentionally pushed messages, so iframes can't be intercepted and your data can't be sniffed. | |
| Apr 23, 2021 at 17:10 | comment | added | Acorn | That's a good point with the autofill, and the knowledge of the customers details. Although this doesn't make any difference with something like a card details form using verygoodsecurity's "one iframe per field" solution.. | |
| Apr 23, 2021 at 11:06 | comment | added | Bergi | @knallfrosch This sounds like the real reason. Can you post that as an answer, please? | |
| Apr 23, 2021 at 9:48 | comment | added | knallfrosch | A faked iframe won't be logged into your PayPal, your browser won't autofill it and it won't be able to show you your name and address even after you logged in. That's suspicious. | |
| Apr 22, 2021 at 18:17 | comment | added | Acorn | Aren't popups and iframes orthogonal concepts? Also what does it matter if you can't manipulate the contents of a Same Origin iframe if you can just replace it? | |
| Apr 22, 2021 at 18:09 | comment | added | aholbreich | @Acorn Same Origin Policy restricts also access to another direction. You can't do much with popup especially on desktop (and mobile devices getting stricter also) | |
| Apr 22, 2021 at 18:04 | comment | added | Acorn | Oh, I don't think trusting the author of the iframe contents (e.g. Stripe) is the issue here. And with that kind of solution you'll be including some of their javascript to insert the iframe into the page anyway. The worry is someone manipulating the host page and being able to intercept the information that is entered into the iframe. I'm curious as to what ways an iframe limits that ability.. | |
| Apr 22, 2021 at 17:38 | history | edited | Steffen Ullrich | CC BY-SA 4.0 | added 382 characters in body |
| Apr 22, 2021 at 17:33 | history | answered | Steffen Ullrich | CC BY-SA 4.0 |