W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Iframes and credit card security

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 15 Aug 2016 10:00:58 -0700
Message-ID: <CADYDTCAoLbzsxqWhEK9J8kx16m0byn5S3ZkcHc2GrtgdAWM0yQ@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: WebAppSec WG <public-webappsec@w3.org>
>From a very narrow definition entering your payment details into a 3rd
party iframe is "secure" from the parent frame--assuming the correct iframe
has been opened! Stripe etc aren't going to get hacked, so I guess they're
happy. You're right that this leaves users ripe for phishing.

-Dan Veditz

On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk>
wrote:

> Hi,
>
> Is there a secure way to collect sensitive information (e.g. credit card
> numbers) though an iframe, if the parent page has been compromised?
>
> I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay,
> etc are all pretending they have a secure system, when they really don't.
>
> I've written up my notes at the following URL, but if you have any other
> comments/feedback, I'd really appreciate it (I'd like to contact the PCI
> Council again by the end of the week).
>
> Craig
>
>
>
> https://www.code-poets.co.uk/misc/security/pci-saq/
>
>
Received on Monday, 15 August 2016 17:01:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC