Insecure Trends in Web 2.0

26-12-2008

We are living the second dot-com craziness, although this time it doesn't look like a bubble, it works just fine and every month a new Web 2.0 application acquired for millions.

Couple of popular web trends appeared and revived in Web 2.0 applications:

All sounds good but also they came with their sins. And their disease of being insecure just spreads.... New start-ups and all kind of Web 2.0 entrepreneurs following previously "worked" insecure practices for the sake usability, simplicity, sociability and money.

 

Usability & Simplicity

Usability is really important, everything should be so easy in Web 2.0 applications, such as:

 

Change password functionality

Why bother with requesting user's current password before changing their password, they've already logged in, right(!). Impact of this is quite obvious. Permanent account hijacking in shared computers or result of an XSS attack.

Guilty:  twitter

Give me your Hotmail password so I can get your contact list

Since when giving your e-mail password to a website is OK? Thanks to social websites now it's a common thing to give away your e-mail passwords to other websites. What's next, giving away your online banking password? (Didn't I tell you? Mint already did that!)

Guilty: Bebo, Facebook, Diigo, LinkedIn, slideshare and every single social Web 2.0 application out there

 

SSL

Big web 2.0 applications are so popular and they are generally traffic heavy. Which causes them to simply ignore SSL for performance reasons. Even if they supports SSL generally they don't mark cookies as 'secure' which allows an attacker to carry out successful session hijacking attacks.

Guilty: Most of the Web 2.0 applications and particularly Gmail for the last 4 years. They've recently introduced an option to force gmail to work over SSL. Funny enough it's still not over SSL by default.

Retrieving Password by E-mail

Almost all web applications can retrieve your password to your e-mail without requesting any other extra information like a "security question" or something.  This means if your e-mail account get hacked your identity has gone within moments.

Guilty: Almost all Web 2.0 Applications

Plain Stupid Simplicity

Couple of Web 2.0 application doesn't even allow you to choose a password more than 8 characters because they keep it simple(!) Forcing your users to choose insecure passwords is not simplicity it's stupidity.

   

Remember Me

We might forgive this one but now every single application allows this feature which makes them easier to exploit against Cross-site Scripting attacks or account hijacking in shared computers.

Guilty: Everyone!

 

Sociability

Social engineering was some kind of an art but now it's bloody easy. If you are trying to learn more information about someone such as "what colour of undies she's wearing" or "what's her birthday" or "who's her boyfriend" or "where was she last night" or "in which company she's working as personal assistant" just visit her profile in Facebook, myspace, bebo, read her twitter messages, learn her taste of music by checking out her last.fm profile. Don't stop there learn what she reads from librarything and what she eats from another social website, and see her resume in LinkedIn. Finally don't forget her blog where she writes every little totally useless information about her daily life. Funny enough you'll figure pretty soon her e-mail password is her dog's name.

Couple of years ago we were talking about how "out-of-office" replies leaks information, now we are talking about massive information leakage about everything. All employees blog about stuff, companies being "open" and "transparent". That's the Web 2.0 for you where your birthday is publicly available in 15 different social websites and your company's new and super project's first draft already published in one of your developer's blog.

Password cracking and Social Networks

Beside of the obvious potential social engineering attacks, identity theft or faking one's identity sort of attacks there are other issues. An attacker can use different social networks to find answers of "secret questions" to reset the password of his or her victims in different websites furthermore an attacker can gather all of this information and might use it in a dictionary attack against online accounts or an offline password cracking attack.

Integration

CSRF(able) Bookmarklets and Tool Integration

Bookmarklets are inherently vulnerable to CSRF attacks and most of the Web 2.0 applications which supports social integration provides several bookmarklets.

Guilty: twitter, Diigo

Overpowered APIs and Duplicated Code

To increase the integration between services most of the Web 2.0 applications provides powerful APIs. Generally the web application doesn't use these APIs internally which leads developers to common security pitfalls such as "duplicated code", "broken authorisation", "information leakage".

Features in the APIs provides more than the user interface and generally provides easier automation which can cause massive information leakage issues. Same things goes for different interfaces to access the same functionality. For example twitter protected itself against CSRF in the web interface although it was still vulnerable to CSRF in the mobile interface (which was in the same domain therefore vulnerable).

Guilty: Facebook, twitter (mobile interface)

 

Outsourcing

Since lots of things have been already built, why bother to build our own system. Let's just use others'. From productivity point of view this is one of the greatest things happened to web, just like programmers using external libraries now web developers can use external widgets. Instead of building your own photo gallery just use Flickr, instead of using your own flash player just embed it from youtube. Instead of rolling your own webstats just use "google analytics", add an "adsense javascript" or "google ad manager" so you don't need to manage your ads.

This is all good but it comes with a price, it increases the attack surface of the applications. Do you remember Fluffy Bunny's attack to SecurityFocus ? Every piece of javascript, flash animation, java applet, RSS feed is a potential vulnerability in your website. If an attacker can gain access to one of this external resources game is over in the client-side. Now your website is vulnerable to Cross-site Scripting because of this.

It's client-side, that's true, but what about attack opportunities such as stealing keylogs in login forms via JavaScript? After this an attacker might login as admin, and now it's a proper defacement.

Guilty: The Internet

Cutting Edge Technology

Everyday there is new buzz in Web 2.0. It can be AJAX, Flex, Adobe AIR, Silverlight, Comet, Flash & Web Services, Widgets, Crazy JavaScript libraries etc. When the technology is new that means "best practices" are not defined yet, they are "work in progress". Which generally results with issues such as "Premature AJAX-ulation", Javascript Hijacking, Flash XSS issues or plain stupid usage of the technology.

Beside of these all of these new technologies increase the attack surface of the client as well. Your website can be vulnerable to XSS because of an Adobe PDF file (Adobe Universal XSS) or a Flash File (clicktag XSS).

Trust

Even after massive number of phising attacks, fake websites, so called "legitimate business", it's quite impressive to see how much people still trust the websites.

Google wants your medical records with Google Health and another Web 2.0 application Mint wants your bank account details (no I'm not kidding) to manage your finance. We already knew there are crazy people out there who upload their private videos and pictures to websites by marking them as "private". Guess what, they're not that private after all as seen on a Facebook vulnerability which allows to see private photo albums of anyone.

Developers should be careful about these common but insecure practices of Web 2.0 and should be aware of the consequences of the technology they choose and design decisions.

Recent Blog Posts

See all of the blog posts