W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Iframes and credit card security

From: Craig Francis <craig@craigfrancis.co.uk>
Date: Tue, 16 Aug 2016 00:11:00 +0100
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-Id: <87054247-40EA-4464-AA3C-A196B8517597@craigfrancis.co.uk>
To: Daniel Veditz <dveditz@mozilla.com>
Thanks Dan,

Personally I think "assuming the correct iframe has been opened" is the problem, and because most websites are doing things like running out of date versions of WordPress, they need to have at least a basic check that things "seem to be ok".

And I'm not someone who thinks an automated scan that just checks version numbers is perfect, but it's better than nothing.

Craig




> On 15 Aug 2016, at 18:00, Daniel Veditz <dveditz@mozilla.com> wrote:
> 
> From a very narrow definition entering your payment details into a 3rd party iframe is "secure" from the parent frame--assuming the correct iframe has been opened! Stripe etc aren't going to get hacked, so I guess they're happy. You're right that this leaves users ripe for phishing.
> 
> -Dan Veditz
> 
> On Mon, Aug 15, 2016 at 6:11 AM, Craig Francis <craig@craigfrancis.co.uk <mailto:craig@craigfrancis.co.uk>> wrote:
> Hi,
> 
> Is there a secure way to collect sensitive information (e.g. credit card numbers) though an iframe, if the parent page has been compromised?
> 
> I don't think there is, and I think Stripe, BrainTree (PayPal), WorldPay, etc are all pretending they have a secure system, when they really don't.
> 
> I've written up my notes at the following URL, but if you have any other comments/feedback, I'd really appreciate it (I'd like to contact the PCI Council again by the end of the week).
> 
> Craig
> 
> 
> 
> https://www.code-poets.co.uk/misc/security/pci-saq/ <https://www.code-poets.co.uk/misc/security/pci-saq/>
> 
> 
Received on Monday, 15 August 2016 23:39:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC