• PC World
• »Security

Unexpected Consequences

To security experts like Robert Hansen, the CEO of Web security consultancy firm Sectheory.com, the Samy worm is an example of the kind of unexpected consequences that can arise when Web site operators let users become contributors to their Web properties. Hansen and other like-minded researchers believe that we have only begun to see what can go wrong when the security of Web 2.0 programs gets tested.

Without a radical change in the way that browsers interact with the Web, these experts say, the Web 2.0 security problem will only get worse. And with more and more of our critical data stored by Web 2.0 applications like Google Calendar and Zoho Office Suite, such security holes could do a lot of damage.

Currently, two major types of Web attacks have security researchers concerned: Cross-site scripting attacks, and cross-site request forgeries.

Cross-site scripting attacks come in different varieties, but the result remains the same: The attacker finds a way to make unauthorized code run within a victim's browser.

Web sites that allow visitors to post their own content employ filtering software to keep the users from posting unsafe code to their MySpace profiles or eBay auctions, for example. But in the case of the Samy worm, Kamkar found a way to sneak his JavaScript past the MySpace.com filters.

In another type of cross-site scripting attack, the Web site is tricked into running JavaScript code that's included in a Web page's URL. Normally Web designers make it impossible for such ploys to work, but programming errors can open the door to an attack.

As Web sites integrate new partner- and user-generated components, administrators must worry about the security of those interconnected pieces as well as the security of their own sites, says Seth Bromberger, information security manager with Pacific Gas & Electric in San Francisco.

"Now you've got multiple gates to defend," he explains.

Bromberger is concerned that many Web-based services are being built before their security risks are fully understood. The full risks of cross-site request forgery attacks on local networks are only just now being examined, he says.

In a cross-site request forgery attack, the criminal tricks a Web site into thinking that it's sending data to and receiving it from a user who has been logged on to the site. These kinds of attacks could be used to give an attacker unfettered access to any Web site that has not yet logged the victim off.

Many sites protect against this type of attack by automatically logging visitors off after a few minutes of inactivity; but if the attacker could trick a victim into visiting a malicious site just minutes after logging on to, say, Bank of America's Web site, the bad guy could theoretically clean out the victim's bank account.

Cross-site request forgery attacks are hard to pull off in any widespread fashion, but in a targeted hit, they are effective against a remarkably large number of Web sites, according to Jeremiah Grossman, chief technology officer with WhiteHat Security. "Cross-site request forgeries are going to be the biggest struggle over the next ten years," he says.