Have you heard of Web 2.0? Of course you have. Do you know what it is? Sure you do. Well, your definition may differ from other peoples. The term Web 2.0 is redefined all the time and usually it’s just a marketing buzzword. ”I’m working with Web 2.0” could even be used as a pickup line, at least if you’re trying to lure an investor.

From a more technical point of view, most sites claiming to be Web 2.0 are using a technology called AJAX. This makes it possible to build applications that runs in your web browser with (almost) the same look-and-feel as a ”real” application running on your computer. AJAX allows the web page to be more interactive and responsive.

 

So what is so scary about this?

AJAX wasn’t exactly designed with security in mind. Some of the developers using AJAX today doesn’t even understand it, they are just building their application on top of any of several AJAX frameworks that are available. The problem is that there is a great chance that their final application will be open to something called Cross Site Scripting or XSS.

Cross site scripting means that a web page you are visiting can have embedded code that makes a call to another web page.

 

Here’s an example.

If you’re using Gmail, you probably have a Gmail browser window open all day long. At some point, you visit a web site with malicious code embedded into the page. The page may be making a call to Gmail in the background and there will be nothing visible for you to notice.

The code could for example send out an email from your Gmail account, or it could copy the contents of your address book.

 

I’m only using Gmail as an example here, I don’t believe Gmail is more vulnerable than any other site built with AJAX. It could happen on any of the popular Web 2.0 sites, Myspace, Facebook, LinkedIn, Hotmail and Yahoo to mention just a few. The evil web page you are looking at could be changing your Facebook profile or send messages to your friends network and you wouldn’t know about it before your friends starts asking you strange questions.

However, web based email is more vulnerable for one reason. The data you store in your email account may be of great value to the attacker. You probably received lots of emails that contains your secret password to web sites you are using. When the attacker gains access to your email, he also gains access to all those sites.

 

What can you do about it?

If you’re a developer, learn about XSS and what you should do to build code that is as secure as possible. Don’t fall into the trap of thinking “but my site doesn’t contain any information that has a value”. If there are users on your site that contribute content, that decision should be made by the user, not by you. You should do everything you can to protect the data your user provides.

If you are a user, be aware of this problem. Don’t become paranoid, but think twice before storing any sensitive data on a web-based service. Don’t use old web browsers because they are usually more vulnerable. Make sure you have anti-virus software that is updated.