Insecure Trends in Web 2.0
We are living the second dot-com craziness, although this time it doesn't look like a bubble, it works just fine and every month a new Web 2.0 application acquired for millions.
Couple of popular web trends appeared and revived in Web 2.0 applications:
- Cutting Edge Technology
All sounds good but also they came with their sins. And their disease of being insecure just spreads.... New start-ups and all kind of Web 2.0 entrepreneurs following previously "worked" insecure practices for the sake usability, simplicity, sociability and money.
Usability & Simplicity
Usability is really important, everything should be so easy in Web 2.0 applications, such as:
Change password functionality
Why bother with requesting user's current password before changing their password, they've already logged in, right(!). Impact of this is quite obvious. Permanent account hijacking in shared computers or result of an XSS attack.
Give me your Hotmail password so I can get your contact list
Since when giving your e-mail password to a website is OK? Thanks to social websites now it's a common thing to give away your e-mail passwords to other websites. What's next, giving away your online banking password? (Didn't I tell you? Mint already did that!)
Guilty: Bebo, Facebook, Diigo, LinkedIn, slideshare and every single social Web 2.0 application out there
Big web 2.0 applications are so popular and they are generally traffic heavy. Which causes them to simply ignore SSL for performance reasons. Even if they supports SSL generally they don't mark cookies as 'secure' which allows an attacker to carry out successful session hijacking attacks.
Guilty: Most of the Web 2.0 applications and particularly Gmail for the last 4 years. They've recently introduced an option to force gmail to work over SSL. Funny enough it's still not over SSL by default.
Retrieving Password by E-mail
Almost all web applications can retrieve your password to your e-mail without requesting any other extra information like a "security question" or something. This means if your e-mail account get hacked your identity has gone within moments.
Guilty: Almost all Web 2.0 Applications
Plain Stupid Simplicity
Couple of Web 2.0 application doesn't even allow you to choose a password more than 8 characters because they keep it simple(!) Forcing your users to choose insecure passwords is not simplicity it's stupidity.
We might forgive this one but now every single application allows this feature which makes them easier to exploit against Cross-site Scripting attacks or account hijacking in shared computers.
Social engineering was some kind of an art but now it's bloody easy. If you are trying to learn more information about someone such as "what colour of undies she's wearing" or "what's her birthday" or "who's her boyfriend" or "where was she last night" or "in which company she's working as personal assistant" just visit her profile in Facebook, myspace, bebo, read her twitter messages, learn her taste of music by checking out her last.fm profile. Don't stop there learn what she reads from librarything and what she eats from another social website, and see her resume in LinkedIn. Finally don't forget her blog where she writes every little totally useless information about her daily life. Funny enough you'll figure pretty soon her e-mail password is her dog's name.
Couple of years ago we were talking about how "out-of-office" replies leaks information, now we are talking about massive information leakage about everything. All employees blog about stuff, companies being "open" and "transparent". That's the Web 2.0 for you where your birthday is publicly available in 15 different social websites and your company's new and super project's first draft already published in one of your developer's blog.
Password cracking and Social Networks
Beside of the obvious potential social engineering attacks, identity theft or faking one's identity sort of attacks there are other issues. An attacker can use different social networks to find answers of "secret questions" to reset the password of his or her victims in different websites furthermore an attacker can gather all of this information and might use it in a dictionary attack against online accounts or an offline password cracking attack.
CSRF(able) Bookmarklets and Tool Integration
Bookmarklets are inherently vulnerable to CSRF attacks and most of the Web 2.0 applications which supports social integration provides several bookmarklets.
Guilty: twitter, Diigo
Overpowered APIs and Duplicated Code
To increase the integration between services most of the Web 2.0 applications provides powerful APIs. Generally the web application doesn't use these APIs internally which leads developers to common security pitfalls such as "duplicated code", "broken authorisation", "information leakage".
Features in the APIs provides more than the user interface and generally provides easier automation which can cause massive information leakage issues. Same things goes for different interfaces to access the same functionality. For example twitter protected itself against CSRF in the web interface although it was still vulnerable to CSRF in the mobile interface (which was in the same domain therefore vulnerable).
Guilty: Facebook, twitter (mobile interface)
Guilty: The Internet
Cutting Edge Technology
Beside of these all of these new technologies increase the attack surface of the client as well. Your website can be vulnerable to XSS because of an Adobe PDF file (Adobe Universal XSS) or a Flash File (clicktag XSS).
Even after massive number of phising attacks, fake websites, so called "legitimate business", it's quite impressive to see how much people still trust the websites.
Google wants your medical records with Google Health and another Web 2.0 application Mint wants your bank account details (no I'm not kidding) to manage your finance. We already knew there are crazy people out there who upload their private videos and pictures to websites by marking them as "private". Guess what, they're not that private after all as seen on a Facebook vulnerability which allows to see private photo albums of anyone.
Developers should be careful about these common but insecure practices of Web 2.0 and should be aware of the consequences of the technology they choose and design decisions.