Web 2.0 vulnerability found!

April 2, 2007

Fortify Software, the leading provider of security products that help companies identify, manage and remediate software vulnerabilities, today announced that its Security Research Group has documented the first major vulnerability associated specifically with Web 2.0 and AJAX-style software. Termed JavaScript Hijacking, the vulnerability allows an attacker to steal critical data by emulating unsuspecting users. To combat this issue, Fortify has released an in-depth security advisory that details this vulnerability, how enterprises can determine if they are vulnerable and how they can fix the issue. A copy of this advisory can be downloaded at http://www.fortifysoftware.com/advisory.jsp.

As part of Fortify’s work, the 12 most popular AJAX frameworks were analyzed, including frameworks from Google, Microsoft, Yahoo! and the open source community. Fortify determined that among them, only Direct Web Remoting (DWR) 2.0 implements mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations. Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data.

This could potentially affect apps such as Gmail so is concerning. I’ve always had my doubts about the security of data transferred in AJAX apps but not having the technical resource to look into it in detail have never investigated fully. My concerns have prevented us using a lot of AJAX features in our site and where we do it is all secure as no sensitive data is involved. Imagine the furore if this proves to be a major problem, just how many Web 2.0 start-ups could fold as they are forced to re-engineer their apps to secure themselves. I’m sure it won’t be that bad, but it is something that needs taking seriously!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: