Friday, 3 August 2007

Web 2.0 is Fundamentally Broken

"Web 2.0 is fundamentally broken," says Robert Graham, the CEO of Errata Security . "Using the tools it's easy to hijack other people's credentials. It's a fundamental flaw in Web 2.0". Well I have to say the evolution of Web 2.0 (web apps) is what scares me the most in terms of Information Security today.

At Black Hat 2007 Robert Graham of Errata Security demostrated how easy and quick it was to break into the most common Web 2.0 applications like GMail, HotMail, MySpace and FaceBook. Using Errata's soon to be released & freeware tools "Hamster" and "Ferret", Robert scanned the Black Hat wireless network during his presentation, sniffing out user's URLs until he found a user using GMail. After which he was able to very quickly open up that persons session and display the poor guys GMail inbox on the big screen, thanks to the Errata tools.

This hack works as the Errata application is able to grab the users cookie, from which authentication to the user's web session is gained. I can't speak for the other Web 2.0 services as I don't use them, but if you are a Google GMail user, I always advise to use "secure http" to access it, i.e. https://gmail.google.com, as that ensures all traffic between Google and your web browser is encrypted, including the cookie info, so will defeat this type of hack.

These hacking tools are suppose to be available to download as freeware at some point today, I'm will grab them and give them a try.

5 comments:

Alex said...

I wasn't at the session, but was his assertion that not using https, or using cookies, is a Web 2.0 phenomena?

Anonymous said...

Web 2.0 has a broad definition, certainly Web Mail and Social networking sites are Web 2.0, no matter the cookies or https. I would say the security of the said web apps from this type of attack is down to hosts empolying https servers or getting smart with their web app programming. So when the Black Hat guys say Web 2.0 broken he is kinda right, as you have to gone beyond "the norm" Web 2.0 (whatever that is), to fix it. Anyway an interesting hack to be aware of it.

Shawn said...

I actually think his comment that "Web 2.0 is fundamentally broken" is way over the top. Is it really news that stealing the session ID of a website gives you control over the session? Is this really a Web 2.0 phenomenon? No. This has always been known. Frankly, I don't know why his presentation got so much press... Of course, it may be because he said something sensational like "Web 2.0 is fundamentally broken".

No news here... Only FUD.

Corzair said...

FUD I serriously doubt that pal!
About Web2.0, those in the know have alway worried about the security aspects. I read about that many years ago when just XML was being initially discussed.

Rob said...

It's very hard to say what IS and what ISN'T Web2.0, therefore we could sit here all week debating whether this was right or wrong.

The principle behind what he is saying however is that building layers of functionality on something we haven't yet fully secured is not safe.

To say it is "fundamentally broken" is maybe over the top, but the point is, it creates awareness. Call it FUD if you want, but certainly you should be watchful.

Don't shoot the messenger Shawn, what Dave does extremely well is report relevant, up to date security news.

"This has always been known" is just not true. Maybe amongst developers, but not the wider community, and what we need is to disseminate, teach and listen, not criticise.

You can criticise when people are on their soap box, banging on with their own opinions. You're welcome to come and post on my blog...