Facebook, Worms and RSS Feeds - Hacking The Web2.0 Way and Beyond

Wed, 29 Oct 2008 09:36:34 GMT

This morning I was reading an interesting article from Ryan Naraine (ZDNet Zero Day Blog) regarding a Facebook worm which uses RSS feeds and in particular Google Reader to strengthen its attack strategy. Interesting...

If you have been following GNUCITIZEN's research and in particular this blog, you know this is not a big news since I've been describing the numerous web2.0 attack strategies countless of times. Perhaps you remember my paper on hacking Web2.0? It sounds very similar to Ryan's article, doesn't it?

One year ago, at OWASP USA 2007 Summit, someone from the audience asked me when these (Web2.0 style) types of attacks will become mainstream. I said, that all my research is quite theoretical but I was expecting to gradually see web2.0 types of attacks happening more and more often in the near future. Well, now we see them happening for sure.

It is time for the security community stop being so ignorant and get out of its comfort zone for once. I know it is hard.

Web2.0 technologies are everywhere. I've seen them implemented in banks, large and small organizations, charity shops, the global Web. Even the security researchers, who once laughed at them proclaimed them for not important, are now using Twitter. Check out the Twitter security community. It is huge!

Web2.0 is Everywhere! And I've seen Web2.0 technologies fail far too often for my likings. The reason for this is because there aren't that many people who can grasp the entire inter-communication nature of Web2.0. I am not saying that this is hard to learn. All I am saying is that not many people made the effort to learn how all components fit together.

Web2.0 security is not about xss, or sql injection or even any kind of injection attack. These are simply vulnerabilities. Web2.0 security is all about the loose inter-communication between components which you can trust and components that you cannot. And in today's mashup-driven world, this is damn hard.

Comments Powered ByDisqus