- We design and build extraordinary applications for companies looking to make the next great idea a reality.
- learn more
Another Worm, This Time on Myspace
Over at Simple Thoughts, they disect a Flash/AJAX worm that has been laying waste to MySpace.
The unnamed worm isn't malicious but the Shockwave Flash (.swf) file containing the payload embeds JavaScript into the profile of any MySpace user who views the .swf file. This can easily replicate Samy is my friend worm without breaking a sweat.
This javascript code would then be interpreted by any user who visited the site, allowing sensitive data to be stolen, such as a hash value required to carry out operations as a user, and performing operations on behalf of that users (without consent obviously). Currently, that access is being used only to spread the JavaScript code to other profiles on the popular social network site.
They go on to describe how this worm, if malicious, could be used to compromise MySpace security and a user's Office applications. Defanged (commented) Javascript is included.
It's fair to say that this is just the beginning of these worms/viruses. The fundamental security situation in the browser hasn't really changed -- the same sort of mischief that could be done in 2004 or 2002 can be done today. So what has changed? At least three things as I see it.
- Web 2.0 sites now persist Javascript and other executable online artifacts. We all know that a Word or Excel file from a buddy must be treated with caution. We have no such expectations when it comes to their MySpace profiles or plain text emails. It's this persistence of executable artifacts that turns a malware into a worm, flowing from one user to another with Web 2.0 haste.
- Our guard is down. If in 1989 anyone outside of a University campus had found a piece of software contacting all manner of remote computers and transfering data, they would have shut it down immediately. Now we don't even blink when our browser secretly accesses other web sites via XMLHttpRequest. How to identify malicious activity when it doesn't look all that different from normal AJAX activity? That's sort of like the old Mac virus detection tools complaining about a compiler because it tried to modify a resource fork of a file. It's about context.
- Although Flash, XMLHttpRequest, browser extensions and rich Web 2.0 apps haven't really changed the basic security picture for browsers, in combination they can lead to unforseen vulnerabilities. This latest worm simply demonstrates how inching the security door open in Flash and Web 2.0 at the same time can lead to trouble. When you design webapps for security, don't assume a pristine client environment. Assume the worst and design accordingly.
I don't have any solutions to these problems other than "don't use flash or AJAX." I'd be interested to hear your thoughts on this topic. Comment away.
Comments: 1 so far
Leave a comment
About Pathfinder
Recent
- Making GWT JSON not Quite so Painful
- IDEA - preconference workshop 06 Oct 08
- HTML5, Ajax history management, and The Ajax Experience 2008 Boston
- A Look Back At Past Posts
- Flash Player on iPhone gossip
- Microsoft to Jump on Board EC2
- TAE Boston 2008: The Unsexy Presentations
- The Ajax Experience 2008: Hope to see you in Beantown
- TankEngine: New plugin for Rails iPhone Development
- Symphony of Ruby on Rails and Flex through RubyAMF
Archives
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
Topics
.NET
2d physics
3d
3D GPS
3D physics
37signals
Accessibility
actionscript
activerecord
Add new tag
Adium
ADO.NET Entity Framework
Adobe
Adobe AIR
Advertising
agile
Agile Development
AIR
Ajax
Ajax Applications
Ajax Bookmarking
Ajax Components
Ajax Development
Ajax Examples
Ajax Experience
Ajax Frameworks
Ajax history management
Ajax Intervention
Ajax libraries
AJAX Obfuscation
Ajax Performance
Ajax Products
Ajax Tools
Ajax Widgets
Amazon
amf
Analysis
Android
Announcement
Announcements
antennae
Apollo
Application Architecture
Application Development
AS3
ASP.NET
Asynchronous Processing
awards
Back Button
Benchmarking
Best Practices
BitmapData.draw
BJAX
Blaze Advisor
blog
blogging
Books
Browsers
Business
Business Reasons for Ajax
Business Rules
C#
Canvas
Case Studies
chess
Chicago
Cloud Computing
CMS
COBOL
code art
Code Generation
Color
COMET
Conference
Consistency
Content Management
CRM
CruiseControl
CSS
Custom Flex Component
data visualization
Degrafa
Design
Design Patterns
Desktop
Desktop RIA
Developer's Notebook
Diagnose
Dojo
Domain Knowledge
Drools
EC2
Echo2
Echo3
Editorial
ERP
Ethnographic Research
events
externalinterface
Ext JS
Facebook
ferret
FileReference
Firefox
Firefox Extensions
Flash
flash awards
flash player
flash player 10
Flex
flexunit
Flock
Flow
Frameworks
front end
front end development
Games
Gauge Component
getting things done
Git
Google
Google calendar
Google Gears
Grails
Graphics
Greasemonkey
Groovy
GStreamer
GTD
Gwittir
GWT
Healthcare
Hibernate
Hudson
IDE
Ideation
IE
IE6
IE7
IE8
ILOG JRules
Information Architecture
Innovation
Instructional Design
Interaction Design
Interview
iPhone
iTunes
Java
Javascript
JavaScript frameworks
Javascript Libraries
JBoss Rules
Jess
Jetty
JIT
Jobs
jQuery
JSF
JSON
JSR-94
JsUnit
Lazlo
Legacy Systems
lightweight
LinkedIn
LINQ
Logical Model and Conceptual Model
Low Pro
Mac
Mash Note
Mashups
Meebo
MetaWidget
Methodology
Microformats
Microsoft
Mobile
Mootools
mouse scroll
mouse wheel
Mozilla
Music
MVC
MySql
NetNewsWire
Object-Oriented
Object Relation Mapping (ORM)
Office
OOP
Open Screen
Open Source
Opera
Oracle
ORM
osx
pagination
Pair Programming
papervision3d
Patterns
Peer Creation
Performance
Personas
PHP
physics
physics engines
plugin
preloader
process
Web/Tech
Product Definition
productivity
Progressive Enhancement
Project Website
Prototype
Prototyping
PV3D
QA
qooxdoo
Radiant CMS
rails
Really Simple History
References
Requirements
Requirements
Alice Toth
Requirements Visualization
Restlet
RETE
Review
Rich Interactions
ruby
rubyamf
Ruby on Rails
SaaS
Safari
San Francisco
Scalability
Scenarios
Scriptaculous
SDLC
Search
Security
Selenium
Semantic web
SEO
Server Side
Silverlight
SOA
Social Networking
Software Processes
Songbird
SpiderMonkey
Sprajax
Spreadsheets
Standards
Startups
STI
Story Telling
Struts
Tamarin
Task Flows
Test Driven Development
Testing
The Ajax Experience
Tilt Component
Tools
TraceMonkey
Training
Trends
Tumblr
Tutorial
Tutorials
Unit Tests
Usability
Usability Testing
User Experience
user experience design
user interface
User Interface Standards
User Research
UXD
Venture Capital
Video
Vision
Visualization
VLC
Volta
Web/Tech
Web 2.0
Web Design
Web Development
Webkit
Weblogs
Web Services
Web Standards
Widgets
will_paginate
Windows
Wireframes
WordPress
workflow
work life balance
XML
XML Metadata
XUL
Yahoo Map AS3 API
YUI
Zeigarnik
Zeigarnik Effect
ZK
“Now we don’t even blink when our browser secretly accesses other web sites via XMLHttpRequest”
In fact, XMLHTTPRequest is restricted to the current domain.
Comment by Stickman, Friday, July 21, 2006 @ 3:33 am