Virus 2.0

Is Web 2.0 Safe?

'As users store more data online, hackers are finding ways to break into the new service sites. experts say the problems are deep-seated.

Samy Kamkar was really just trying to impress girls. Instead, he made Web hacking history.

Kamkar created what is considered the first Web 2.0 worm--a virulent bug that no firewall could block, and which ultimately forced MySpace.com to temporarily shut down. The Samy worm (named after Kamkar) was among the more prominent of a new generation of Web attacks that some security experts fear may slow the fast-evolving collaborative model of Internet development known as Web 2.0.

Kamkar was looking for a way to circumvent MySpace's content-posting restrictions to jazz up his profile when he found a bug that essentially allowed him to control the browser of anyone who visited his MySpace page. "A Chipotle burrito and a few clicks" later, Kamkar says, he created the fastest-spreading Web-based worm of all time.

Within 20 hours, the worm had spread to approximately 1 million MySpace users, forcing them to select Kamkar as their "hero" in their profile page. News Corporation, the site's owner, had to pull down MySpace to fix the problem, and Kamkar later received three years' probation in Los Angeles Superior Court.

As a Web 2.0 worm, Samy signaled the start of a shift in Web security concerns. Past worms such as MyDoom and Sobig clobbered systems and caused days of technical problems for system administrators to contend with. Kamkar's worm didn't do anything to harm MySpace users' computers, but it threatened their data online. And though the affected MySpace users couldn't apply a patch or update their antivirus software to handle the problem, once MySpace fixed the issue on its servers, it was fixed globally.

To security experts like Robert Hansen, the CEO of Web security consultancy firm Sectheory.com, the Samy worm is an example of the kind of unexpected consequences that can arise when Web site operators let users become contributors to their Web properties. Hansen and other like-minded researchers believe that we have only begun to see what can go wrong when the security of Web 2.0 programs gets tested.

Without a radical change in the way that browsers interact with the Web, these experts say, the Web 2.0 security problem will only get worse. And with more and more of our critical data stored by Web 2.0 applications like Google Calendar and Zoho Office Suite, such security holes could do a lot of damage.

Currently, two major types of Web attacks have security researchers concerned: Cross-site scripting attacks, and cross-site request forgeries.

Cross-site scripting attacks come in different varieties, but the result remains the same: The attacker finds a way to make unauthorized code run within a victim's browser.

Web sites that allow visitors to post their own content employ filtering software to keep the users from posting unsafe code to their MySpace profiles or eBay auctions, for example. But in the case of the Samy worm, Kamkar found a way to sneak his JavaScript past the MySpace.com filters.

In another type of cross-site scripting attack, the Web site is tricked into running JavaScript code that's included in a Web page's URL. Normally Web designers make it impossible for such ploys to work, but programming errors can open the door to an attack.

As Web sites integrate new partner- and user-generated components, administrators must worry about the security of those interconnected pieces as well as the security of their own sites, says Seth Bromberger, information security manager with Pacific Gas & Electric in San Francisco.

"Now you've got multiple gates to defend," he explains.
Bromberger is concerned that many Web-based services are being built before their security risks are fully understood. The full risks of cross-site request forgery attacks on local networks are only just now being examined, he says.'