Release Flash – iFrames and XING: Finding a solution

Microsoft introduced inline frames in 1997 with the release of IE 3. Based on HTML 4 technology, iFrames are a modification of <frame > tags, and place one (frameset) HTML document in a frame inside a normal HTML document.

If you’re familiar with inline frames, you’ll know that they can be very useful for displaying different types of information – oftentimes from different sources – on a single web page. Both internal content from another part of a website and external websites can be integrated into an iFrame. Also, inline frames allow the embedded element to be organized as desired, with scroll bars and more.

One common use for iFrames can be found in a company’s internet shop page: the navigation bar, footer and even side panels are programmed by the company itself and the contents remain the same, while the “shop” area in the middle is programmed and run by an external web commerce provider.

Neat, right? Well, it’s precisely this sheer ease of integration that can make iFrames a problem. If formatted correctly, an iFrame is very difficult to spot. The web shop looks just like the rest of the page, right? This invisibility of other contents in a website can be problematic at times.

What does this have to do with XING?

Every XING profile has a dedicated URL, meaning it too can be embedded into a website via an iFrame if a designer so wishes, and can be visited by anyone who goes to the page in which it is embedded. This can be useful, for example, if you wish to include part of your profile in your private or professional website, allowing potential business partners or clients to contact you via XING.

There’s no guarantee, however, that a talented HTML hack couldn’t misuse an iFrame for his own ends. Let’s say you’re logged into XING. In another window or tab, you click on a website on which the programmer has imbedded an iFrame linking to his XING profile. By visiting this external website, you have now just “visited” the person’s profile. And – if the trickster happens to be a Premium Member – your full name will be visible to him or her.

This is particularly irritating if the frame containing the XING profile is invisible; if, for example, it has been set to be one pixel in size, or is programmed to be hidden. Back to the real world: This isn’t simply a theoretical exercise, there is actually a person programming a website to just this right now. Although it’s impossible to see with the naked eye, XING members are visiting the XING profile of another member by means of an invisible iFrame imbedded in a website.

Just by visiting a rigged website somewhere in the World Wide Web, a member can reveal his identity to the person running the website – and might receive a XING-message as a result. Keep in mind, the worst case scenario is that someone can see your real name, and all the information you choose to reveal to non-contacts on XING.

What is XING doing about this?

As a rule, this problem affects all social networks that show a user who has visited his or her profile. One temporary solution is to implement what is known as a Framebreaker, which is a Javascript that checks to see whether contents are routed to a frame, and if so, breaks the structure or interrupts the display of the web page.

Given the current situation, we’ve decided against implementing a simple Framebreaker, because to do so would disrupt all visible, beneficial uses of frames as well as the less benign uses. Instead, we’ve constructed an intelligent Framebreaker, which queries the size of an iFrame, and that only breaks a frame when it is apparent that it is being used for invisible or covert applications. That way, iFrames that are obvious to the user are not affected.

Usages of iFrames in a way that is invisible to XING members represent a violation of our Terms and Conditions, and our Privacy Policy. In the event that you come across abuse by a member, you can either contact us using the Contact Form, or by reporting the profile in question by clicking on the “Flag this profile” button on the individual profile. Our Community team will take over from there.

What can I do?

Data security on the XING platform is a central concern of ours, which is why XING is the only social network to use SSL encryption for the entire website. You can also adjust your own security settings to further ensure the safety of your data: When you log in to XING, you have the option to activate “automatic login” (see image below). If you choose not to check this box, you’ll have to log in more frequently, however.

You can disable the automatic login.

If you wish to avoid cold calling from non-contacts, you can lock your XING Inbox by making the appropriate selection in your Privacy settings. Furthermore, if you suspect abuse or are very concerned about security, we recommend you strictly limit the data you share with non-contacts.

These rigid settings would protect you from trickster XING messages. Keep in mind, though, that this also limits the possibilites of benign XING members to connect to you.

Once again, if you become suspicious about a particular member (a non-contact of yours, for example), you can always report them to our Community team.

As always, we look forward to your feedback, and are happy to hear your questions, suggestions, and ideas.