Last night something interesting was brought to my attention through my Mint statistics. It’s probably only important for those interested in keeping their images and selective content from major search engines.

Mint statistics example, link to an image as referenced by Google.com

Usually when a search engine checks out my website I see the hit listed like this: “Search for: men and women” with a little icon indicating that the result deals with an image. Oh, and to clear the record, I’ve been getting a lot of hits on my site lately from people searching for similar things. Somehow in writing about that project for LifeBridge Church I didn’t expect it to bring in so many searches from things like Google images. I should have realized that was coming.

But I digress…

When you’re used to seeing something one way and it comes in differently you start to wonder. I got this link last night:

The latest referral to my page, a real page holding my content.

The difference is subtle but there’s something important to note. There isn’t an image icon and the referral page is written in a peculiar way. “search.netscape.com/search/imageDetails…” To me that seemed like an actual page rather than a quick picture link from a gallery.

I was right.

Apparently Netscape has implemented a system that is capable of pulling in the image in their original context. That may seem innocent enough except for one underlying factor, the giant iFrame in the middle of the page.

an image of the Netscape iFrame hard at work on my data.

Apparently that iFrame is able to pull all of your files as if the user was right on your website. Now, for most people that’s not a big deal but it could be if you consider the fact that all of your content can then be categorized by a search engine again or read locally. That of course is regardless of any work you have done to prevent that from happening by, say, a .htaccess file or a PHP script. So then it begs the question “why bother writing .htaccess files anyway if they’re just going to iFrame your content?” Apparently my .htaccess rule is working since you can’t see the image outside of the iFrame as it was intended.

I’m not saying or implying that Netscape has been malicious or that they are disregarding the robots.txt file. Apart from putting a copyright below the display of my content (which I don’t think is illegal or wrong, just potentially misleading and could make it difficult in some cases to determine who owns copyright for materials… maybe… I dunno… ) they haven’t really done anything wrong.

But the Netscape concept is an interesting one. This is going to sound a little “conspiracy theorist-ish” but I think this could be evolved to do some potentially dangerous things. For example:

Awhile back I wrote an article about a way that I thought seemed viable for keeping people from ripping off your CSS files. What the viewer should have seen on that Netscape page was a joke message from me, instead they actually got to see the page as it is presented from my site.

What that means is that the iFrame is loading the files in a way that bypasses scripts intended to keep you on the actual site. Now, at this point I’m sounding like I care quite a bit about my CSS files, etc. but that’s not really the case. The only reason I left the script running was because I wrote an article about it and feel somewhat obligated to do so.

Nevertheless, what I am concerned about is that people could theoretically pull or push more information than you care to allow, maybe including video files and streamed media. I know this isn’t exactly going to be a revelation to some people, iFrames have been around long enough to be discontinued and deprecated (or not?). I’m sure that there are people out there who haven’t trusted them from the start. But if you’re like me you probably never considered them as another level of potential security risks. The good news is that you’ll probably see the reference coming in if you’re using something like Mint to manage your statistics.

But I’m also concerned about the use of Javascript to pull or manipulate information on your page as well. With Javascript you could possibly reach into the scripts or html on the page and pull out some useful pieces of information about the way files are submitted or just the structure of how a user submitted mechanism works. That would be possible especially if the checks and balances systems in place are written in Javascript and not PHP.

Granted, structure and element information is nothing you can’t usually gather by reading a site’s Javascript files directly but the difference is that if the iFrame is completely capable of manipulating elements on your page then they could maybe use some custom scripts to post to your forms, among other potential inputs. How difficult would it be to pass false values for a variable to another Javascript file? PHP apparently can’t discern the difference between a remote and local page view, so could my website then pass data to your website’s MySQL database through Javascript submitted data?

I don’t know that most people will ever come across a problem like this, honestly I don’t know how much someone could actually manipulate from an iFrame to any dangerous degree. I’m not even convinced that anything could be done, period. But I think it’s worth keeping in the back of my mind at least, I might consider doing some testing on it in the future to see what I can manipulate remotely. If anyone else comes up with anything be sure to let me know what you find out, I’m definitely curious.

Additional and External Reading

Related in that they deal with malicious uses of iframes

*WebViewFolderIcon setSlice exploit in the wild – follow up
*Hackers Bring Host of Troubles
IFRAME Exploit Spreading Through Banner Ads