Is Web 2.0 Safe?
As users store more data online, hackers are finding ways to break into the new service sites. experts say the problems are deep-seated.Robert McMillan
Samy Kamkar was really just trying to impress girls. Instead, he made Web hacking history.
Kamkar created what is considered the first Web 2.0 worm--a virulent bug that no firewall could block, and which ultimately forced MySpace.com to temporarily shut down. The Samy worm (named after Kamkar) was among the more prominent of a new generation of Web attacks that some security experts fear may slow the fast-evolving collaborative model of Internet development known as Web 2.0.
Kamkar was looking for a way to circumvent MySpace's content-posting restrictions to jazz up his profile when he found a bug that essentially allowed him to control the browser of anyone who visited his MySpace page. "A Chipotle burrito and a few clicks" later, Kamkar says, he created the fastest-spreading Web-based worm of all time.
Within 20 hours, the worm had spread to approximately 1 million MySpace users, forcing them to select Kamkar as their "hero" in their profile page. News Corporation, the site's owner, had to pull down MySpace to fix the problem, and Kamkar later received three years' probation in Los Angeles Superior Court.
As a Web 2.0 worm, Samy signaled the start of a shift in Web security concerns. Past worms such as MyDoom and Sobig clobbered systems and caused days of technical problems for system administrators to contend with. Kamkar's worm didn't do anything to harm MySpace users' computers, but it threatened their data online. And though the affected MySpace users couldn't apply a patch or update their antivirus software to handle the problem, once MySpace fixed the issue on its servers, it was fixed globally.
Unexpected Consequences
To security experts like Robert Hansen, the CEO of Web security consultancy firm Sectheory.com, the Samy worm is an example of the kind of unexpected consequences that can arise when Web site operators let users become contributors to their Web properties. Hansen and other like-minded researchers believe that we have only begun to see what can go wrong when the security of Web 2.0 programs gets tested.
Without a radical change in the way that browsers interact with the Web, these experts say, the Web 2.0 security problem will only get worse. And with more and more of our critical data stored by Web 2.0 applications like Google Calendar and Zoho Office Suite, such security holes could do a lot of damage.
Currently, two major types of Web attacks have security researchers concerned: Cross-site scripting attacks, and cross-site request forgeries.
Cross-site scripting attacks come in different varieties, but the result remains the same: The attacker finds a way to make unauthorized code run within a victim's browser.
Web sites that allow visitors to post their own content employ filtering software to keep the users from posting unsafe code to their MySpace profiles or eBay auctions, for example. But in the case of the Samy worm, Kamkar found a way to sneak his JavaScript past the MySpace.com filters.
In another type of cross-site scripting attack, the Web site is tricked into running JavaScript code that's included in a Web page's URL. Normally Web designers make it impossible for such ploys to work, but programming errors can open the door to an attack.
As Web sites integrate new partner- and user-generated components, administrators must worry about the security of those interconnected pieces as well as the security of their own sites, says Seth Bromberger, information security manager with Pacific Gas & Electric in San Francisco.
"Now you've got multiple gates to defend," he explains.
Bromberger is concerned that many Web-based services are being built before their security risks are fully understood. The full risks of cross-site request forgery attacks on local networks are only just now being examined, he says.
In a cross-site request forgery attack, the criminal tricks a Web site into thinking that it's sending data to and receiving it from a user who has been logged on to the site. These kinds of attacks could be used to give an attacker unfettered access to any Web site that has not yet logged the victim off.
Photograph by Robert Cardin
Cross-site request forgery attacks are hard to pull off in any widespread fashion, but in a targeted hit, they are effective against a remarkably large number of Web sites, according to Jeremiah Grossman, chief technology officer with WhiteHat Security. "Cross-site request forgeries are going to be the biggest struggle over the next ten years," he says.
Fundamental Flaws
Personal computers and Web servers were simply not designed to work together in a secure fashion. And as Web 2.0 pushes these machines to do increasingly innovative things, the strain is beginning to show, according to Sectheory.com's Hansen, who also maintains a Web site with a discussion forum on the latest Web attacks.
"This is really just fundamentally about how browsers work," he says.
Google Desktop, in particular, concerns Hansen, because with this type of service, vulnerabilities in the Web can ultimately affect the desktop. "If you allow a Web site to have access to your drive--to modify, to change things, to integrate, or whatever--you're relying on that Web site to be secure."
Sites like MySpace and eBay face this problem every day, but if Google's vision of rich desktop and Web integration becomes a reality, the security of Web 2.0 will matter for corporate users as well. "Historically, Google has not been very good at understanding these issues," Hansen says.
And though some researchers disagree with Hansen and say that Google has done an admirable job of keeping its site free of flaws, to a large extent the real Web security problem lies outside the control of sites like Google.
"There is no browser security model," says Alex Stamos, a founding partner of security consultancy Information Security Partners. "The problem is that Google is playing by the rules that Netscape laid down a decade ago."
Stamos calls the Web 2.0 model of sharing small user-generated programs, called widgets, "completely insane" from a security perspective.
Staying Safe
Web-coding bugs are still extremely common, but Web site operators have only recently started to root them out in a concerted way.
"Oddly, there isn't that much research in terms of 'How do you build a Web site in practice, and what are the best practices that would allow a company to protect themselves?'" says Michael Barrett, chief information security officer for eBay's PayPal division. "If there is an emerging set of best practices, I'd argue that not many practitioners know what they are."
And the nature of Web 2.0 security bugs limits what individual users can do to avoid them. You can keep some cross-site request forgery attacks at bay by switching to a different browser to access Web 2.0 sites that house your sensitive information. If you're browsing with Firefox, for example, you could log on to your banking site in Opera. Any sites you browse in Firefox won't have access to the Opera cookie that keeps you logged in.
Cross-site scripting attacks can be more difficult to avoid. As always, it helps to be careful in choosing which links to click, but that doesn't protect you from a threat like the Samy worm, which could affect a site that you do trust. As Web 2.0 security continues to evolve, you may want to rethink how much of your sensitive personal information you're willing to store online.
Ultimately, Barrett thinks that Web security standards like the WS* specifications go some distance toward solving the Web security problem, but he agrees that many of the basic Web standards, such as JavaScript and HTTP, must be rethought. "We need to reevaluate those standards and potentially rewrite some of them to make this stuff safer," he says. "If enough companies stand up and say there's a problem here, then the industry will start to move."
Web Apps That Work Offline
Finetune's browser-free music player is one of the first Apollo apps.
If you've spent time using Google Docs & Spreadsheets, you're familiar with the service's great features. You are also familiar with a semiregular 'Disconnected' error that forces you to toss out your recent changes or switch to a read-only version of your document when your browser loses touch with the Google service. That's the Achilles' heel of today's rich and promising desktop-like Web apps: They require a hiccup-free Internet connection. If anything interrupts that link, you can lose sync--and your data. At the very least, your info is out of reach.
But developers are working to get around that drawback, using intelligent caching to build offline functionality into their Web applications and browsers.
A new desktop version of Zimbra's browser-based productivity suite can cache your e-mail and calendar data, untethering Zimbra's app from an Internet connection. And a still-in-the-works offering from Scrybe promises a Web app with calendaring and other features that will continue to function even when you activate your browser's "work offline" mode.
Mozilla.org is taking an even broader approach, building offline caching into Firefox 3, due out in beta this summer. Any Web site will be able to take advantage of the feature, though online apps will need to be updated to make use of it.
While caching can free Web apps from the need for a Web connection, another emerging technology aims to free them from the browser. With promises reminiscent of Sun's Java, Adobe says that its new Apollo platform, available as an alpha release, allows Web developers to write applications using online programming tools like Flash and Ajax that run on the desktop without a browser. According to the company, Apollo programs will run the same on Linux, Mac OS, and Windows, just like the Web apps they're based on.
The Finetune music player is one early example of this kind of browser-independent Web app. You can embed its playlist-based music program in your blog or Web site--or you can download an Apollo version and run the player by itself.
Erik Larkin, PC World