Researchers Unearth New Web 2.0 Vulnerability
Developers in the past used Javascript for simple features like image rollovers and Web forms. But in the Web 2.0 world, Javascript is increasingly being used to transport data, and that's opening the door to security issues, said Brian Chess, chief scientist at Palo Alto, Calif.-based Fortify, which makes source-code analysis software.
In a security vulnerability Fortify has labeled "Javascript hijacking," attackers could lure users to a malicious Web site and steal confidential data from applications through Web browsers, because the server doesn't sufficiently protect Javascript when it's being used for data transport, according to Chess.
"You end up giving up all your information stored on the Web site, including sensitive information from banking and groupware applications," said Chess.
Fortify researchers tested a dozen Web 2.0 frameworks and found that all were susceptible to Javascript hijacking, Chess said.
"There are vulnerabilities everywhere you look in Web 2.0 applications, including AJAX frameworks from Google, Microsoft and open-source technologies," Chess said.
However, conventional Web applications aren't vulnerable because they don't use JavaScript as a data transport mechanism, Chess said.
Although Web 2.0 technologies are popular, most of the commercial community has yet to fully adopt them, which means there's still time to address these types of security issues, Chess said.
"In the long term, we need a better standard and browsers that are capable of dealing with this type of Web interactivity," he said. "In the meantime, developers need to go back in and fix their code."