October 19th, 2006
Web 2.0 Security Scares
For web-based businesses like Google and MySpace, AJAX flings open the door to new malware propagation methods few things are more scary than malicious attacks on the code of your websites or apps. And in this web 2.0 era, new threats have emerged that specifically target Ajax websites.
Web security firm Finjan recently released a report outlining "sophisticated new threats that target Web 2.0 platforms and technologies." According to the report, this web security threat "centers on the use of Web 2.0 and AJAX (Asynchronous JavaScript and XML) technologies for malicious activities."
The report acknowledges that Web 2.0 and AJAX technologies enable a rich user experience for Internet users, but it warns: "the technology also flings open the door to new malware propagation methods." Apparently hackers are now targeting high-traffic web sites and either embedding malicious code in hosted Web content, or using AJAX to query what Finjan calls "the hidden web".
Web 2.0 Security Vulnerabilities
I got hold of the full report and here are some highlights:
1) Finjan wrote: "Since Web 2.0 platforms enable anyone to upload content, these sites are easily susceptible to hackers wishing to upload malicious content. Once the malicious content has been uploaded, innocent visitors to these sites can also be infected, and the site owners could be potentially responsible for damages incurred."
The example given was of a personal web page on Geocities being used to compromise an end user’s machine. This was an unfortunate example, because Geocities is more representative of web 1.0.
2) The next threat listed is this: "Finjan researchers have discovered that AJAX can query back-end web services automatically, or, in other words, “query the hidden web.” This provides an opening for hackers to create “invisible” attacks using AJAX queries, since the code is never revealed on the site and more specifically can be encrypted in transit using SSL."
Note that the "hidden web" in this context refers to the vast majority of the web that is not indexed by search engines. Examples of the hidden web are forms and applications (web services) in which users enter content dynamically.
The example given was the famous "Samy" MySpace worm in 2005, in which a MySpace user named Samy created a worm that automatically added millions of MySpace users as his friend. Samy's code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications.
Finjam notes that Ajax threats may be even more heightened now, than in the 2005 MySpace case:
"Although in this case AJAX was used ‘just’ to transparently populate a worm, our latest discoveries found AJAX being used to silently request malicious code without a user’s knowledge."
Other examples of Web 2.0 security scares
Some other recent Web 2.0 security vulnerabilities:
- Google has had an alarming number of security scares recently. Techcrunch and Search Engine Watch both listed out a variety of Google security blunders involving Gmail to Blogger.com.
- Skype Superintendent Trojan: the Swiss Department of the Environment, Transport, Energy and Communications (UVEK) is examining the use of spy software to allow it to listen in on conversations on PCs. This obviously is a worry for Skype and other VoIP users!
- A Read/WriteWeb commenter noted that some SNS can access your gmail, yahoo mail and hotmail contacts when you invite your friends into their systems. A spammer could use this to harvest email addresses.
There are no doubt many more security issues with web 2.0 software or apps. Please leave a comment here if you know of any.
