Jump to content


iFrames on Facebook and its Security Implications

  • Please log in to reply
No replies to this topic

#1 Mere_Mortal



  • Helper Trainee
  • PipPipPipPip
  • 292 posts

Posted 01 February 2012 - 03:08 PM

See this link for an overview of the feature being discussed...

Assuming that your website can use the HTTPS protocol then you can take advantage of this feature. If you don't have a SSL Certificate then you cannot. This is understandable because, in theory, it limits abuse as it requires the initial investment of purchasing HTTPS.

This is where iframehost.com comes into play, and they are but an example. This third-party entity holds such a certificate and they are allowing any old sod to use their services as a proxy for this purpose. That any old sod need not make an initial monetary investment, there is no risk on their part. All one need do is register a link between iframehost and their Facebook page so that they can use a custom iFrame on it. As a result, the entire purpose of enforcing a certificate in the first place has thus been negated.

Given that an iFrame is not permitted to interact with the rest of the page if the two are of differing domains, Facebook has absolutely no way of validating the content of that frame. This means that there would be untrusted code on its page and that, from a web developer's perspective, is completely against the principles of content integrity.

I cannot begin to understand why Facebook even allow this feature in the first place, regardless of certification. As a good friend once said; My brain stops at "What the heck?".

Successful blocking of iframehost.com via the hosts file on a live page, preventing a redirect...

Another example, this time involving facebook.iframe-apps.com...

Here's a live Proof of Concept, nothing fancy but it gets the point across...

Edited by Mere_Mortal, 03 February 2012 - 04:17 PM.

Member of UNITE
Support SpywareInfo Forum - click the button