Companies warned on Web 2.0 security threats

Research highlights dangers of the latest online technology

Web 2.0 technologies present a number of areas for security concern, according to the latest Internet Security Threat Report by Symantec, released this week.

Web 2.0 is a term used to describe new web application technologies and sites such as blogs, wikis and social or professional networking. Web 2.0 tools allow for user-created content to be developed and implemented by groups of individuals, and are increasingly being used by companies for better staff collaboration and communication.

'Because individuals are able to create and host content on various collaboration platforms such as weblogs, the possibility exists for those platforms to host exploits and become distribution points for links to fradulent web sites, malicious code, and other security threats, such as spyware,' says the report.

Attackers will often take advantage of the implied trust between the community of individuals and the sites hosting content to compromise users and/or web sites.

Additionally Web 2.0 technologies rely heavily upon web services, tools that are designed to support interoperability between systems over a network.

Symantec expects to see an increase in the number of attacks taking advantage of the interconnected, interactive nature of Ajax software programming tools to increase the number of potential targets.

Ajax is a web development technique for creating interactive web applications.

'Because Ajax can be used in conjunction with a large number of web services and enables connectivity between them, this could present additional attack vectors into which attackers could inject hostile content,' says the report.

The potential also exists in Ajax for attackers to exploit the trust relationshoip inherent in the client-server model utilised in web applications by creating exploits hosted by malicious web services that steal poorly stored state or login information on PC clients.

One example of this is cross-site scripting, according to the report:

'Cross-site scripting attacks take place when web applications gather data from a user or other source and then create an output of that data on a user's web browser. Not only could this allow an attacker to steal confidential information, it could also allow an attacker to insert malicious code onto the host through malicious scripts,' it says.

What do you think? Email us at [email protected]