Web 2.0 Security - Part 1

New technology always comes together with new forms of threats. Web 2.0 is no exception. True enough, the new Web 2.0 sites are generating lots of hypes in capabilities, offering the internet community all sort of wonderful things we can do using the websites. The benefits are huge. But sadly to say, in a rush to impress the masses with new functionality, security may have been overlooked. At least that is what some experts believe.

“We’re continuing to make the same mistakes by putting security last,” said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics.

One of the key components of Web 2.0 is new programming techniques called AJAX. But AJAX doesn’t just help make web applications more interactive and lively, it also provides new ways for irresponsible intruders to hack a Web server and cause much damage to the community of Web 2.0 users.

One of the major vulnerabilities associated with AJAX is what is called cross-site scripting. By taking advantage of this capability, a hacker can hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users’ computers. The possible damage is unthinkable.

But cross-site scripting issues are only one risk. Other potential problems in AJAX code include race conditions, code correctness issues, object model violations, insecure randomness and poor error handling, said Brian Chess, chief scientist at Fortify Software, a maker of source-code analysis tools.

You would have thought this kind of risk only affects websites created and run by smaller players who may not have necessary budget to address security issues in their development. The fact remains quite contrary. Hackers are more likely to attack big players because the hypes and publicity generated by such acts are more prominently highlighted all over the world wide web compared to an attack on an average Joe’s website.

However, the hacker can very well be any Tom, Dick or Harry. In one case, Gmail account had been compromised by a 14-year-old blogger, yes you get it right… a 14-year-old blogger, utilizing a security flaw that allows JavaScript code to run when viewing a message in Gmail, potentially allowing malicious code to be used by an attacker to compromise a Gmail account.

I believe the hackers are having field days in their quest to prove who is better. Perfect security may never be achieved due to the fact that every technology has its own soft spot that can be used against the technology itself, but I hope Web 2.0 developers out there would practice safe computing to a level that is sufficient to at least make security compromises are harder to be accomplished and any reported hacking is quickly resolved to restore confidence among web surfers.

In the next installment of a potentially long series of Web 2.0 Security, I will look further at other security vulnarabilities that are of concern to the Web 2.0 community.

Read CNET