Monday, 20 July 2009
It's all about the apps
« Grossman On Fixing WAF Protected Vulnerable Code | Main | Stranger in a Standards Land »
This month Aviv Raff is running a month of (third-party) Twitter bugs. The majority of these bugs are XSS or XSRF and allow attackers to send tweets on behalf of a victim. These third-party web sites are effectively offering open relays that provide spammers and malware authors with new distribution channels and as Aviv notes, these vulnerabilities can be used to create twitter worms too.
Of course, this class of problem isn't limited to Twitter. For example, Facebook also has an open API that allows third-party developers to write their own applications that run on the Facebook platform. When the Facebook API first came out, I took a quick look at it and remember noticing that they did a decent job of preventing HTML and JavaScript injection (at least they were thinking about security). Instead of allowing developers to insert arbitrary HTML, Facebook forces them to use FBML. However, that can lead to FBML Injection. Facebook even has its own query language FQL (similar to SQL), which opens the door to FQL injection.
In the end, even if your favorite social networking websites were secure and never fell prey to another vulnerability (yeah, right), we still need to contend with all of the third-party apps that use their APIs. API providers should include documentation about security in their developer guides. Twitter recently added a Security Best Practices page in their developer section, but I'd like to see security documentation in-line (explicitly included with code examples) rather than a footnote or reference section.
Of course, this class of problem isn't limited to Twitter. For example, Facebook also has an open API that allows third-party developers to write their own applications that run on the Facebook platform. When the Facebook API first came out, I took a quick look at it and remember noticing that they did a decent job of preventing HTML and JavaScript injection (at least they were thinking about security). Instead of allowing developers to insert arbitrary HTML, Facebook forces them to use FBML. However, that can lead to FBML Injection. Facebook even has its own query language FQL (similar to SQL), which opens the door to FQL injection.
In the end, even if your favorite social networking websites were secure and never fell prey to another vulnerability (yeah, right), we still need to contend with all of the third-party apps that use their APIs. API providers should include documentation about security in their developer guides. Twitter recently added a Security Best Practices page in their developer section, but I'd like to see security documentation in-line (explicitly included with code examples) rather than a footnote or reference section.
Posted by at 5:07 PM in Random
[Trackback URL for this entry]
