As Web 2.0 evolves, security becomes an issue

Researchers believe that without radical change in how browsers interact with the Web, security problems will only get worse

Samy Kamkar was really just trying to impress girls. Instead he made Web hacking history.

Kamkar created what is considered the first Web 2.0 worm -- a virulent bug that could not be blocked by a firewall, and which ultimately forced the owners of to temporarily shut down the site. The Samy worm was just the more prominent of a new generation of Web attacks that some security experts fear may slow down the fast-evolving collaborative model of Internet development known as Web 2.0.

The Samy worm popped up in late 2005. Kamkar says he discovered it while looking for a way to get around the Web site's content posting restrictions and add code that would jazz up the look of his MySpace profile. By taking advantage of a bug in the way the Web site code was written, he was essentially able to control the browser of anyone who visited his profile.

"A Chipolte burrito bol and a few clicks," after discovering the vulnerability Kamkar managed to create the fastest-spreading Web-based worm of all time. Within 20 hours, the worm had spread to nearly 1 million users, forcing them to select Kamkar as their "hero," in their profile page. News Corp. was eventually forced to shutter MySpace in order to fix the problem, and Kamkar eventually got three years probation in Los Angeles Superior court.

Unlike the MyDoom and Sobig worms of years past, which clobbered systems and caused days of technical problems for system administrators, Kamkar's worm didn't do anything to harm MySpace users' computers. And once MySpace fixed the problem, it was fixed globally.

To security experts like Robert Hansen, the CEO of Web security consultancy, the Samy worm is an example of the kind unexpected consequences that can arise when Web site operators let users become contributors to their Web properties.

Hansen, and a group of like-minded white-hat researchers, believe that we're only beginning to see what can go wrong when the security of the new generation of collaborative, Web 2.0 applications gets tested.

They believe that without a radical change to the way that browsers interact with the Web, the Web 2.0 security problem will only get worse.

From the start, desktops and Web servers were simply not designed to work together in a secure fashion. And as Web 2.0 pushes these machines to do more and more exciting things that lie far from their academic, electronic publishing roots, the strain is beginning to show, according to Hansen, who also maintains a Web site that serves as a discussion forum for the latest Web attacks.

"This is really just fundamentally about how browsers work," he said. Google Desktop, in particular, is of concern to Hansen because with this type of service, vulnerabilities in the Web can ultimately affect the desktop. "If you allow a Web site to have access to your drive -- to modify, to change things, to integrate, or whatever -- you're relying on that Web site to be secure."

This is a problem faced by sites like MySpace and eBay every day, but if Google Inc.'s vision of rich desktop and Web integration becomes a reality, the security of Web 2.0 could be come a more pressing issue for corporate users as well. "Historically, Google has not been very good at understanding these issues," Hansen said.

And though some researchers disagree with Hansen, and say that Google has done an admirable job in keeping its site free of flaws, to a large extent, the real Web security problem lies outside of the control of Web sites like Google.

"There is no browser security model," said Alex Stamos, a founding partner of security consultancy Information Security Partners. "The problem is that Google is playing by the rules that Netscape laid down a decade ago."

Stamos calls the Web 2.0 model of sharing little user-generated programs, sometimes called widgets "completely insane," from a security perspective.

There are two major types of Web attacks that have security researchers concerned right now: Cross site scripting attacks, and cross site request forgeries.

There are different varieties of cross site scripting attacks, but the result is always the same: The attacker figures out a way to make unauthorized code run within a victim's browser.

Web sites that allow users to post their own content use filtering software to keep users from posting unsafe code to their MySpace profiles or eBay auctions. But in the case of the Samy worm, Kamkar found a way to sneak his JavaScript past the filters.

In a second type cross site scripting attack, the Web site is tricked into running JavaScript code that is included in the URL (uniform resource locator) for a Web page. Normally Web designers make it impossible for these attacks to work, but a programming mistakes can open the door to an attack.

The Web 2.0 model of integrating partner- and customer-generated components into your Web site means that administrators now have to worry not only about the security of their own Web sites, but the security of those interconnected pieces, said Seth Bromberger, information security manager with Pacific Gas and Electric Co. in San Francisco. "Now you've got multiple gates to defend," he said.

Bromberger is concerned that many Web-based services are being built before their security risks are fully understood. For example, the full risks of cross site request forgery attacks on local networks are only just now being examined, he said.

In a cross site request forgery attack, the criminal finds a way to trick a Web site into thinking that it's sending and receiving data from a user who has been logged onto the site. These kind of attacks could be used to give an attacker unfettered access to any Web site that has not yet logged the victim off.

Many sites protect against this type of attack by automatically logging visitors off after a few minutes of inactivity, but if the attacker could trick a victim into visiting his malicious site just minutes after logging into, say Bank of America's Web site, the bad guy could theoretically clean out the victim's bank account.

Cross site request forgery attacks are hard to pull off in any widespread fashion, but in a targeted hit, they are effective against a remarkably large number of Web sites, according to Jeremiah Grossman, chief technology officer with WhiteHat Security Inc. "Cross site request forgeries are going to be the biggest struggle over the next 10 years," he said.

Web bugs are still extremely common, but the Web site operators have only just recently started to work at rooting them out in a concerted way.

"Oddly, there isn't that much research in terms of, 'How do you build a Web site in practice and what are the best practices that would allow a company to protect themselves," said Michael Barrett, chief information security officer eBay Inc.'s PayPal division. "If there is an emerging set of best practices I'd argue that not many practitioners know what they are."

Barrett thinks that the Web security standards like the WS* specifications go some distance toward solving the Web security problem, but he agrees that many of the basic Web standards, like JavaScript and HTTP need to be rethought. "We need to re-evaluate those standards and potentially rewrite some of them to make this stuff safer," he said. "If enough companies stand up and say there's a problem here, then the industry will start to move."

Copyright © 2007 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!