Facebook iFrames: Good For Business, Bad For Security?

When Facebook made a series of changes to its platform for applications and business pages in February, developers by and large cheered, but some security folks groaned.

One significant change that Facebook had been telegraphing for months was a shift in the technical integration of the tabs displayed on a Facebook business page. For any company trying to create more advanced modes of interaction with customers on Facebook, beyond the chatter of the Wall, Facebook tabs are an important tool. Several prominent consumer product and retail companies like Best Buy, Coca-Cola, and Levis have exploited this medium aggressively. However, until recently Facebook application developers have not been able to use the full range of tools available to them in any other Web application. It used to be you had to code page tabs in FBML -- a Facebook markup language derived from HTML -- and could use only Facebook-approved JavaScript and AJAX commands.

Those limitations went away in February, with the introduction of support for HTML IFrames (inline frames) as the display technology for page tabs. Now, Facebook says it is phasing out support for new FBML apps and page tabs (although existing ones continue to function) in favor of its newer XFBML and JavaScript developer's kit, which works in both Facebook IFames and independent Web pages.

This means you can use any Web page as the source for your page tab content. Just plug the URL into Facebook's app registration form, put in the text you want to appear on the tab label, and add it to your page. Aside from the width of the tab content, which must be under 520 pixels to display properly, there are few if any technical limits on what content can appear in that spot -- use any JavaScript library, use Flash, use Silverlight -- all sorts of things that used to be off limits.

Rik Ferguson, Director of Security Research and Communication at Trend Micro, blogged about the "open JavaScript hole" created by the change the day after Facebook announced it. "While this is no doubt great news for legitimate developers, it will undoubtedly make life for those with malicious intent much easier too," he wrote. For example, a tab can now include JavaScript that redirects your browser to a Web site containing malicious software.

I saw Ferguson's post shortly after it appeared and felt inclined to dismiss it, since at the time I was having fun experimenting with the possibilities of iFrame-based integration, including a WordPress plugin that exploits this capability.

But I heard the case against IFrames again last week in a conversation with Perimeter E-Security chief technology officer Andrew Jaquith. "Let's face it, iFrames are basically evil -- they always have been," he said.Ever since the iFrame tag was introduced in Internet Explorer 3, security professionals have worried about all the ways they can be used to trick visitors to a Web site, who often have no way of knowing they are really viewing two different Web pages at once.

Jaquith is not surprised that most developers are happy. "If you're a Web developer, you regard any kind of shackles as an unwarranted intrusion on your freedom -- you see the Web page as your canvas and think you ought to be able to paint whatever you want on it," he said.

On the other hand, Facebook's old policy allowed it to proxy and filter application content. Corporate IT managers may want to rethink their policies on allowing Facebook access from work computers. Perimeter E-Security offers Web filtering as a cloud service, so that's the main way his firm is addressing the issue. Applications developers using the IFrame mechanism to expose applications as Facebook tabs will also have to keep a closer eye on form submissions and other interactions that are no longer proxied in the same way, Jaquith said.

Facebook makes developers agree to Terms of Service that preclude them from doing anything nasty, but the company does not screen application or page tab content prior to publication. Rather, Facebook's privacy and security team investigates complaints and sometimes sues over abuses. That's no guarantee that you won't get burned before the abuse is identified.

I see this as an incremental change in the Facebook platform and the risks and benefits that go with it. IFrame support in page tabs is new, but Facebook has supported IFrame apps for several years. The distinction I'm making here is between applications and content you view within the context of the Facebook page for a business or organization (a "tab") and applications you view separately (an "app" or "application canvas" in Facebook terminology).

Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash. Occasionally, various evildoers have used this opening to trick games enthusiasts into downloading malware or giving away passwords -- all the same mischief that goes on elsewhere on the Web.

Arguably, there is a difference between making a deliberate decision to view an application versus merely browsing to a Facebook page. As with many Web security issues, some of this comes down to whether users understand the risks they are taking and the information they are giving away.

Jaquith suggested Facebook has a responsibility to the users who make the mistake of thinking whatever they view on facebook.com is safe. Of course, nothing on the Web is safe.

Recommended Reading: