- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 15 Aug 2016 13:40:21 -0700
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: Craig Francis <craig@craigfrancis.co.uk>, WebAppSec WG <public-webappsec@w3.org>
On 15 August 2016 at 10:00, Daniel Veditz <dveditz@mozilla.com> wrote: > From a very narrow definition entering your payment details into a 3rd party > iframe is "secure" from the parent frame--assuming the correct iframe has > been opened! Stripe etc aren't going to get hacked, so I guess they're > happy. You're right that this leaves users ripe for phishing. > On the other hand, whatever studies of phishing I have seen, suggest that a full page navigation would also be ripe for phishing for the vast majority of users. Not sure whether iframes cause a massive change in phishing risk, in the case of a malicious merchant. --dev > -Dan Veditz > > On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk> > wrote: >> >> Hi, >> >> Is there a secure way to collect sensitive information (e.g. credit card >> numbers) though an iframe, if the parent page has been compromised? >> >> I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay, >> etc are all pretending they have a secure system, when they really don't. >> >> I've written up my notes at the following URL, but if you have any other >> comments/feedback, I'd really appreciate it (I'd like to contact the PCI >> Council again by the end of the week). >> >> Craig >> >> >> >> https://www.code-poets.co.uk/misc/security/pci-saq/ >> >
Received on Monday, 15 August 2016 20:41:11 UTC