Menu
The unexpected consequences of Web 2.0

The unexpected consequences of Web 2.0

Samy Kamkar was really just trying to impress girls. Instead he made Web hacking history.

Kamkar created what is considered the first Web 2.0 worm - a virulent bug that could not be blocked by a firewall, and which ultimately forced the owners of MySpace.com to temporarily shut down the site. The Samy worm was just the more prominent of a new generation of Web attacks that some security experts fear may slow down the fast-evolving collaborative model of Internet development known as Web 2.0.

The Samy worm popped up in late 2005. Kamkar said he discovered it while looking for a way to get around the website's content posting restrictions and add code that would jazz up the look of his MySpace profile. By taking advantage of a bug in the way the website code was written, he was essentially able to control the browser of anyone who visited his profile.

"A Chipolte burrito bol and a few clicks," after discovering the vulnerability, Kamkar managed to create the fastest-spreading Web-based worm of all time. Within 20 hours, the worm had spread to nearly one million MySpace.com users, forcing them to select Kamkar as their "hero" in their profi le page. News was eventually forced to shutter MySpace in order to fix the problem, and Kamkar got three years probation in Los Angeles Superior court.

The new generation

Unlike the MyDoom and Sobig worms of years past, which lobbered systems and caused days of technical problems, Kamkar's worm didn't do anything to harm MySpace users' computers. And once MySpace fixed the problem, it was fixed globally.

To security experts like CEO of Web security consultancy Sectheory.com, Robert Hansen, the Samy worm is an example of the kind of unexpected consequences that can arise when website operators let users become contributors to their Web properties. Hansen, and a group of like-minded white-hat researchers, believe that we're only beginning to see what can go wrong when the security of the new generation of collaborative, Web 2.0 applications gets tested.

From the start, desktops and Web servers were simply not designed to work together in a secure fashion. And as Web 2.0 pushes these machines to do more and more exciting things that lie far from their academic, electronic publishing roots, the strain is beginning to show, according to Hansen. He maintains a website that serves as a discussion forum for the latest Web attacks. "This is really just fundamentally about how browsers work," he said. Google Desktop, in particular, is of concern to Hansen because with this type of service, vulnerabilities in the Web can ultimately affect the desktop.

"If you allow a website to have access to your drive - to modify, to change things, to integrate, or whatever - you're relying on that website to be secure."

This is a problem faced by sites such as MySpace and eBay every day, but if Google's vision of rich desktop and Web integration becomes a reality, the security of Web 2.0 could become a more pressing issue for corporate users as well.

"Historically, Google has not been very good at understanding these issues," Hansen said. And though some researchers disagree with Hansen, and say that Google has done an admirable job in keeping its site free of fl aws, to a large extent, the real Web security problem lies outside of its control.

"There is no browser security model," a founding partner of security consultancy Information Security Partners, Alex Stamos, said. "The problem is that Google is playing by the rules that Netscape laid down a decade ago."

Unusual behaviour

Stamos calls the Web 2.0 model of sharing little user-generated programs, sometimes called widgets, "completely insane" from a security perspective.

There are two major types of Web attacks that have security researchers concerned right now: cross site scripting attacks, and cross site request forgeries.

There are different varieties of cross site scripting attacks, but the result is always the same: the attacker figures out a way to make unauthorised code run within a victim's browser.

Websites that allow users to post their own content use filtering software to keep users from posting unsafe code to their MySpace profiles or eBay auctions. But in the case of the Samy worm, Kamkar found a way to sneak his JavaScript past the MySpace.com filters.

In a second type cross site scripting attack, the website is tricked into running JavaScript code that is included in the URL for a Web page. Normally, Web designers make it impossible for these attacks to work, but a programming mistake can open the door to an attack.

The Web 2.0 model of integrating partner- and customer-generated components into your website means administrators now have to worry not only about the security of their own sites, but the security of those interconnected pieces, information security manager with Pacific Gas and Electric in San Francisco, Seth Bromberger, said.

He is concerned many Web-based services are being built before their security risks are fully understood. For example, the full risks of cross site request forgery attacks on local networks are only just now being examined, he said.

In a cross site request forgery attack, the criminal finds a way to trick a website into thinking it's sending and receiving data from a user who has been logged onto the site. These kind of attacks could be used to give an attacker unfettered access to any website that has not yet logged the victim off.

Cross check

Cross site request forgery attacks are hard to pull off in any widespread fashion, but in a targeted hit, they are effective against a remarkably large number of websites, according to WhiteHat Security chief technology officer, Jeremiah Grossman.

"Cross site request forgeries are going to be the biggest struggle over the next 10 years," he said.

Web bugs are still extremely common, but the website operators have only just recently started to work at rooting them out in a concerted way.

"Oddly, there isn't that much research in terms of, 'How do you build a website in practice and what are the best practices that would allow a company to protect themselves'," chief information security officer of eBay's PayPal division, Michael Barrett, said. "If there is an emerging set of best practices I'd argue that not many practitioners know what they are."

Barrett thinks Web security standards like the WS specifications go some distance toward solving the Web security problem, but he agreed many basic Web standards, like JavaScript and HTTP, need to be rethought.

"If enough companies stand up and say there's a problem here, then the industry will start to move," he said.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments