Web 2.0 Security Scares

Web 2.0 Security Scares

Summary: For web-based businesses like Google and MySpace, AJAX flings open the door to new malware propagation methods few things are more scary than malicious attacks on the code of your websites or apps. And in this web 2.

SHARE:
TOPICS: Enterprise 2.0
12

For web-based businesses like Google and MySpace, AJAX flings open the door to new malware propagation methods few things are more scary than malicious attacks on the code of your websites or apps. And in this web 2.0 era, new threats have emerged that specifically target Ajax websites.

Web security firm Finjan recently released a report outlining "sophisticated new threats that target Web 2.0 platforms and technologies." According to the report, this web security threat "centers on the use of Web 2.0 and AJAX (Asynchronous JavaScript and XML) technologies for malicious activities." 

The report acknowledges that Web 2.0 and AJAX technologies enable a rich user experience for Internet users, but it warns: "the technology also flings open the door to new malware propagation methods." Apparently hackers are now targeting high-traffic web sites and either embedding malicious code in hosted Web content, or using AJAX to query what Finjan calls "the hidden web".

Web 2.0 Security Vulnerabilities

I got hold of the full report and here are some highlights:

1) Finjan wrote: "Since Web 2.0 platforms enable anyone to upload content, these sites are easily susceptible to hackers wishing to upload malicious content. Once the malicious content has been uploaded, innocent visitors to these sites can also be infected, and the site owners could be potentially responsible for damages incurred."

The example given was of a personal web page on Geocities being used to compromise an end user’s machine. This was an unfortunate example, because Geocities is more representative of web 1.0. 

2) The next threat listed is this: "Finjan researchers have discovered that AJAX can query back-end web services automatically, or, in other words, “query the hidden web.” This provides an opening for hackers to create “invisible” attacks using AJAX queries, since the code is never revealed on the site and more specifically can be encrypted in transit using SSL."

Note that the "hidden web" in this context refers to the vast majority of the web that is not indexed by search engines. Examples of the hidden web are forms and applications (web services) in which users enter content dynamically.

The example given was the famous "Samy" MySpace worm in 2005, in which a MySpace user named Samy created a worm that automatically added millions of MySpace users as his friend. Samy's code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications.

Finjam notes that Ajax threats may be even more heightened now, than in the 2005 MySpace case:

"Although in this case AJAX was used ‘just’ to transparently populate a worm, our latest discoveries found AJAX being used to silently request malicious code without a user’s knowledge."

Other examples of Web 2.0 security scares

Some other recent Web 2.0 security vulnerabilities:

  • Google has had an alarming number of security scares recently. Techcrunch and Search Engine Watch both listed out a variety of Google security blunders involving Gmail to Blogger.com.
  • Skype Superintendent Trojan: the Swiss Department of the Environment, Transport, Energy and Communications (UVEK) is examining the use of spy software to allow it to listen in on conversations on PCs. This obviously is a worry for Skype and other VoIP users!
  • A Read/WriteWeb commenter noted that some SNS can access your gmail, yahoo mail and hotmail contacts when you invite your friends into their systems. A spammer could use this to harvest email addresses.

There are no doubt many more security issues with web 2.0 software or apps. Please leave a comment here if you know of any.

Topic: Enterprise 2.0

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • It seems nobody cares about this article.

    With so many post jumped in non-important xp sp3 story, just wonder who is reading zdnet.

    Ajax opens a huge hole in web. Custom web service can implement all kinds of security feature, but not for Ajax.
    FADS_z
    • good question

      Smart articles which raise intelligent points don't get much in the way of replies.
      0369
    • Nah, maybe the uptake...

      Maybe Ajax usage isn't what they thought it would be. Is the interest really there? We've become disenchanted here.
      Techboy_z
      • Flex 2?

        Any thoughts on the security of Flex 2? Having worked with both, I am a fan of Flex 2's ability to foster the creation interesting / functional applications but I wonder how it stacks up against AJAX security models.
        trush_convos
  • security nah!!!!

    its not the secuirty thing it was secured before all also when they were using asp and php but incase of ajax they increased security but it doesn't scares coz upcoming technology may be morethan ajax but i can say now ajax is the booming in market and renewing all products in ajax programming even a bolgs and office utilization made easier in ajax.but we are doing a research more than a ajax where it will be new up coming and what we are making is surprise choclate for the whole IT industries..... www.outsourceb2b.com you have any enquiry please mail me at mohammad.ali@outsourceb2b.com
    outsourceb2b
  • grrr

    THERE IS NO WEB 2.0

    It's the biggest misnomer of the century. Are there new technologies? Yes, as there always have been als always will be.

    Is this a big jump, warranting a new name? NO!

    Bigger things have happened.
    CobraA1
    • At last!

      Someone who agrees with me. Web 2.0, yeah right. XML with JavaScript, big deal: we've been using this since forever already. AJAX? C'mon. It became cool to use JavaScript with XML because it suddenly had a name. To me it's still a cleaning product.
      mtifo@...
  • Web 2.0 wasn't built to scale

    My personal experience bears this out as well. And I'm a decent programmer who's very familiar with these technologies, I should know. In fact I wrote an entire post about this at http://jasonkolb.typepad.com/weblog/2006/07/web_20_is_stuck.html a while back.
    jasonkolb
  • This is anecdotal crap.

    "The example given was the famous "Samy" MySpace worm in 2005, in which a MySpace user named Samy created a worm that automatically added millions of MySpace users as his friend. Samy's code utilized XMLHTTPRequest - a JavaScript object used in AJAX, or Web 2.0, applications."

    How is that an example of how "Web 2.0" is insecure? The worm could have been implemented just as easily without XMLHTTPRequest, which is a very simple API for fetching data over HTTP (!).

    I stay away from blogs because of people like you who perpetuate rumor and half-truth because you fundamentally misunderstand technology.
    termid0g
    • Thanks

      I couldn't have said that any better. A kid noticed a silly programming mistake, big deal it happens you know.

      Strip tags instead of letting them be stored.
      webDevx
  • Web 2.0 Security

    Good reading Richard - thanks! All of the old issues are making a strong come-back...
    stu8king
  • Security Concerns in Web 2.0

    Hi All,

    I did get a chance to write a paper on security concerns in Web 2.0. This paper has been published by OWASP (www.owasp.org) now and is available at link below:

    PDF version:
    http://www.owasp.org/index.php/Category:OWASP_Papers

    HTML version:
    http://www.owasp.org/index.php/OWASP_Papers/Jeopardy_in_Web_2_0

    Happy reading !!!

    Please feel free to drop in your comments about the paper.
    You can mail me at dharmeshmm_at_gmail_com

    Wregs,
    Dharmesh M Mehta
    Mastek Ltd.
    dharmeshmm@...