Security issues with Ajax based homepages_1


I was thinking about the potential risks of using a single homepage like Netvibes and was not surprised when an expert on CNET news declared: "... AJAX doesn't just help make Web pages and sites more interactive. It could also provide ways for hackers to hit a Web server and to exploit sites in attacks on visitors...". and also :"An attacker can exploit this type of vulnerability to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said. Big-name Web companies such as Microsoft, eBay, Yahoo and Google have all experienced cross-site scripting flaws on their Web sites".

On the net-security.org web site I also read this more technical paper: Top 10 Ajax Security Holes and Driving Factors by Shreeraj Shah (net square ) Friday, 10 November 2006.

So, here are my points in the discussion.

1) Netvibes can help me looking at my gmail, ebay, yahoo, and many other registred services if "I give them" my passwords in order to access directly to the services I am registred to.
Passwords must be stored somewhere and there are surely risks of hackers "getting them".

How serious are those risks ? What is done to reduce them ?

2) Netvibes offeres modules, feeds, tabs that have been uploaded by external sources with no control by Netvibes as they mention it clearly when you upload them.
Those external applications interact with the Netvibes page and, I believe, my own hardware for instance by opening external browser pages.

How serious are those risks ? What is done to reduce them?

Well, I hope someone will answer...

To be continued.

No comments: