Security gurus of FC: anything we should be wary of when it comes to frames?

I understand certain data is signed + sent when clicking a button — I trust @varun and team have thought things through, but the paranoid part of me wonders how frames could be used maliciously

nf.td/mark 🟪 Forward-Deployed Software Engineer (Healthcare @ Palantir) 🟪 FID 1351

yeah that’s a good way to think about it. Reading more & building one has helped me understand. A very specific message is signed when you click a button

cma.xyz. Founder /paragraph, previously at Google and Coinbase

yeah that’s a good way to think about it. Reading more & building one has helped me understand. A very specific message is signed when you click a button https://warpcast.notion.site/Farcaster-Frames-4bd47fe97dc74a42a48d3a234636d8c5#:~:text=contains%20two%20objects%3A-,Signed,-Message%20%E2%80%94%20a%20signed

The actual functionality that frames support is very limited - basically “display an image and some buttons; when buttons pressed send request to a backend”.

Not possible to have onchain txns initiated by the user

The only concern is privacy. Someone on the internet now has a signed message that you clicked a button. 

There's no practical way to compromise funds with this as of today today.

a legit looking frame experience could try to redirect you to a malicious site (e.g. visit X site to complete your airdrop claim, read article, etc.)

but that goes for any link you see on the internet

Infosec

interested to see what others think. (especially the decision to avoid iframes)

https://warpcast.notion.site/Farcaster-Frames-4bd47fe97dc74a42a48d3a234636d8c5

Shout out to /infosec aggregation thread 
https://warpcast.com/m-j-r.eth/0x949f0694