• 03/21/2011
    3:32 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Facebook iFrames: Good For Business, Bad For Security?

Legitimate developers will be pleased with the expanded flexibility, but malicious ones will find it easier to introduce malware, security experts warn.

Ever since the iFrame tag was introduced in Internet Explorer 3, security professionals have worried about all the ways they can be used to trick visitors to a Web site, who often have no way of knowing they are really viewing two different Web pages at once.

Jaquith is not surprised that most developers are happy. "If you're a Web developer, you regard any kind of shackles as an unwarranted intrusion on your freedom -- you see the Web page as your canvas and think you ought to be able to paint whatever you want on it," he said.

On the other hand, Facebook's old policy allowed it to proxy and filter application content. Corporate IT managers may want to rethink their policies on allowing Facebook access from work computers. Perimeter E-Security offers Web filtering as a cloud service, so that's the main way his firm is addressing the issue. Applications developers using the IFrame mechanism to expose applications as Facebook tabs will also have to keep a closer eye on form submissions and other interactions that are no longer proxied in the same way, Jaquith said.

Facebook makes developers agree to Terms of Service that preclude them from doing anything nasty, but the company does not screen application or page tab content prior to publication. Rather, Facebook's privacy and security team investigates complaints and sometimes sues over abuses. That's no guarantee that you won't get burned before the abuse is identified.

I see this as an incremental change in the Facebook platform and the risks and benefits that go with it. IFrame support in page tabs is new, but Facebook has supported IFrame apps for several years. The distinction I'm making here is between applications and content you view within the context of the Facebook page for a business or organization (a "tab") and applications you view separately (an "app" or "application canvas" in Facebook terminology).

Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash. Occasionally, various evildoers have used this opening to trick games enthusiasts into downloading malware or giving away passwords -- all the same mischief that goes on elsewhere on the Web.

Arguably, there is a difference between making a deliberate decision to view an application versus merely browsing to a Facebook page. As with many Web security issues, some of this comes down to whether users understand the risks they are taking and the information they are giving away.

Jaquith suggested Facebook has a responsibility to the users who make the mistake of thinking whatever they view on is safe. Of course, nothing on the Web is safe.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments