[adrianmonk]

Interesting. Do they literally embed Stripe JS? I'm not a front end developer and don't know a ton about web security, but it seems like a malicious/hacked site could still get the card number this way.

The purpose of PCI compliance is to protect the number/info, so how would Stripe (and similar) get approved if they're creating a payment widget that allows third parties to snoop card numbers?

Is this a PCI loophole, or is there some technical barrier preventing the third-party site from getting access?

[realmod]

Stripe JS uses an iframe for card number which blocks the site from accessing the number. And the only way to access the card number is either a security hole in the iframe message handling or in the browser.

[gruez]

Not really. It's true that the main site (parent of the iframe) wouldn't normally have access to the card numbers, but there's nothing preventing you from replacing the iframe entirely. There isn't an "address bar" for iframes, and people certainty aren't manually checking the address by right-clicking, so there's a very high chance you can get away with it. Even if some user checked and noticed the iframe was missing, there are enough sites that don't use iframes for payment processing (ie. they submit credit card numbers directly to their servers) that it wouldn't look out of place.

[adrianmonk]

> There isn't an "address bar" for iframes

Maybe there should be? If it's important to know what site you're looking at in a top level page, the same thing should apply to an embedded one.

Often when I learn about web security, it seems like the user agent abdicates responsibility to be an agent for the user.

Probably a case where it's more obvious in hindsight why this is important, but it could still be retrofitted. Maybe there's a better way, but for example, a browser could make the address bar a breadcrumb widget using multiple URLs to depict the iframe nesting.

[gruez]

>Maybe there should be?

How do you prevent a website from faking the address bar? The only reason that you can trust address bars right now is that the website can't draw outside the content frame. There's already attacks on mobile[1] involving fake address bars because the address bar can be hidden, allowing the site to draw a fake address bar in its place. The only secure way to do it would be to opening another window (like when you try to use sign in with google), but that still has the issue that lots of legacy sites won't use this security feature, so users will still happily enter in their credit card numbers.

[1] https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-...

[adrianmonk]

> How do you prevent a website from faking the address bar?

Well, my suggestion was to add additional URL(s) into the same address bar that already exists at the top. (Hence the breadcrumb widget.)

My original motivation was to not wreck the layout of pages that are currently counting on the inside of the iframe to be big enough to hold all the expected content.

But it also protects the additional URL(s) from being drawn over because you already can't draw over the address bar.

That mobile address bar hiding hack is pretty scary, though.

[realmod]

Yeah that is true. I guess in the end you still have to trust the site unless it uses the stripe hosted checkout.

[adrianmonk]

Thanks, that makes sense. It's <iframe>, not <script>. (They're embedding more than JS.)