July 28, 2006 4:00 AM PDT
The security risk in Web 2.0
- Related Stories
Worm lurks behind MySpace profilesJuly 18, 2006
PayPal fixes phishing holeJune 16, 2006
Here come the 'Family 2.0' sitesJune 2, 2006
Hijacking MySpace for fame and fortuneMay 10, 2006
Google deal highlights Web 2.0 boomMarch 13, 2006
Google fixes 'minor' Gmail flawMarch 2, 2006
Oracle to 'Fortify' its source codeDecember 20, 2005
Ajax spurs Web rebirth for desktop appsDecember 1, 2005
Samy opens new front in worm warOctober 17, 2005
Ajax gives software a fresh lookOctober 4, 2005
Microsoft plugs phishing hole in Xbox siteMay 25, 2005
Will Ajax help Google clean up?March 17, 2005
Google finds its map serviceFebruary 8, 2005
Gates: Security is top priorityJanuary 17, 2002
Market turmoil shakes world of dot-com investorsJuly 4, 2000
The buzz around the new technology echoes the '90s Internet boom--complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. And the sense of deja vu goes even further for some experts. Just as in the early days of desktop software, they say, the development momentum is all about features--and protections are being neglected.
"We're continuing to make the same mistakes by putting security last," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "People are buying into this hype and throwing together ideas for Web applications, but they are not thinking about security, and they are not realizing how badly they are exposing their users."
Yamanner, Samy and Spaceflash are among the higher-profile attacks that have surfaced online. The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book. The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site.
Web 2.0 lacks a precise definition; it's used mainly as a catch-all term to cover Web sites that are more than just plain, static pages. Web 2.0 sites are more interactive, allowing people to tag photos posted online, for example. Unlike their predecessors, they deliver an experience more akin to using a desktop application.
But AJAX doesn't just help make Web pages and sites more interactive. It could also provide ways for hackers to hit a Web server and to exploit sites in attacks on visitors, experts said.
"Think of it like a house," said Hoffman, who will give a presentation on AJAX security at next week's Black Hat security event in Las Vegas. "A traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door. You can put the biggest locks on your front and back doors, but I can still get in through a window."
AJAX also increases the possibility of so-called cross-site scripting flaws, which occur when the site developer doesn't properly code pages, experts said. An attacker can exploit this type of vulnerability to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said. Big-name Web companies such as Microsoft, eBay, Yahoo and Google have all experienced cross-site scripting flaws on their Web sites.
But cross-site scripting issues are only one risk. Other potential problems in AJAX code include race conditions, code correctness issues, object model violations, insecure randomness and poor error handling, said Brian Chess, chief scientist at Fortify Software, a maker of source-code analysis tools.
Such errors could expose people's data, let one user control another user's session, allow malicious code to run, or enable other attacks, Fortify said. The company's researchers found examples of all of these errors in sample AJAX code in a December analysis of "Foundations of Ajax," a how-to-book aimed at software developers.
"Since the code samples (in the book) are likely to be regarded as a best-practices guide, many software developers worldwide will learn insecure coding habits," Chess said.
Ryan Asleson, one of the authors of "Foundations of Ajax," said he had not heard of the alleged flaws in the sample code. However, he said, if those problems do exist, it is possible, because the code was kept as simple for a large audience. "We never intended the code that's in there to actually be production-ready code," he noted.
8 commentsJoin the conversation! Add your comment