As Web 2.0 evolves, security becomes an issue

Samy Kamkar was really just trying to impress girls. Instead he made Web hacking history.

Kamkar created what is considered the first Web 2.0 worm -- a virulent bug that could not be blocked by a firewall, and which ultimately forced the owners of MySpace.com to temporarily shut down the site. The Samy worm was just the more prominent of a new generation of Web attacks that some security experts fear may slow down the fast-evolving collaborative model of Internet development known as Web 2.0.

The Samy worm popped up in late 2005. Kamkar says he discovered it while looking for a way to get around the Web site's content posting restrictions and add code that would jazz up the look of his MySpace profile. By taking advantage of a bug in the way the Web site code was written, he was essentially able to control the browser of anyone who visited his profile.

"A Chipolte burrito bol and a few clicks," after discovering the vulnerability Kamkar managed to create the fastest-spreading Web-based worm of all time. Within 20 hours, the worm had spread to nearly 1 million MySpace.com users, forcing them to select Kamkar as their "hero," in their profile page. News Corp. was eventually forced to shutter MySpace in order to fix the problem, and Kamkar eventually got three years probation in Los Angeles Superior court.

Unlike the MyDoom and Sobig worms of years past, which clobbered systems and caused days of technical problems for system administrators, Kamkar's worm didn't do anything to harm MySpace users' computers. And once MySpace fixed the problem, it was fixed globally.

To security experts like Robert Hansen, the CEO of Web security consultancy Sectheory.com, the Samy worm is an example of the kind unexpected consequences that can arise when Web site operators let users become contributors to their Web properties.

Hansen, and a group of like-minded white-hat researchers, believe that we're only beginning to see what can go wrong when the security of the new generation of collaborative, Web 2.0 applications gets tested.

They believe that without a radical change to the way that browsers interact with the Web, the Web 2.0 security problem will only get worse.

From the start, desktops and Web servers were simply not designed to work together in a secure fashion. And as Web 2.0 pushes these machines to do more and more exciting things that lie far from their academic, electronic publishing roots, the strain is beginning to show, according to Hansen, who also maintains a Web site that serves as a discussion forum for the latest Web attacks.

"This is really just fundamentally about how browsers work," he said. Google Desktop, in particular, is of concern to Hansen because with this type of service, vulnerabilities in the Web can ultimately affect the desktop. "If you allow a Web site to have access to your drive -- to modify, to change things, to integrate, or whatever -- you're relying on that Web site to be secure."

This is a problem faced by sites such as MySpace and eBay every day, but if Google Inc.'s vision of rich desktop and Web integration becomes a reality, the security of Web 2.0 could be come a more pressing issue for corporate users as well. "Historically, Google has not been very good at understanding these issues," Hansen said.

The IDG News Service is a Network World affiliate.