Phishing with widgets
Ironically as I was starting to write this post I had a quick check in my Gmail spam folder and found an email starting:
Dear PayPal customer!
As part of our security measures, we regularly screen activity in the
PayPal system. We recently contacted you after noticing an issue on your
account.We requested information from you for the following reason: …
Well apart from not having a PayPal account, I’m certainly suspicious of anyone asking me to go to something other than the expected url and even if it did I would be very wary. Unfortunately you’re probably familiar with this type of scam and have a similar careful response.
And as if on cue I’ve just received a Security Bulletin from Microsoft which contains a digital signature so that I can verify that it was sent by them.
Phishing has effectively ruled out the use of emails to customers in the financial sector for anything other than promotional marketing. I suspect that we’re going to find similar roadblocks with widgets, badges, or whatever term is used to describe those bits of code that we drop so willingly into our blogs or other Web 2.0 applications.
This all stems from some research I was undertaking into Netvibes, and in particular their ‘Universal Widget API‘. This holds out the possibility of creating widgets that could be used on a number of websites (e.g. Netvibes and Google IG) and desktops (Mac Dashboard and Vista Sidebar) without any changes to the programming.
An exciting prospect. Unfortunately the technology that underlies the promise looks also to be responsible for restricting its use. A French security blogger created a widget that allowed him to read the rest of the contents on a user’s Netvibes page, and in this case it also contained access details to one of their servers.
If you’re interested in the details then you can find the nitty gritty on Niall Kennedy’s blog. The basics though lie in the way that the widgets are combined on a page & their reliance on JavaScript. There are some safeguards built in to browsers, but they couldn’t stop a program in one widget wandering through the rest of the data on a page. So if there’s a Gmail widget then that could include your latest emails and possibly even the login credentials.
Other forms of add-ons using different technologies aren’t exempt from problems either. In WordPress they’re known as plugins – and they have full access to the database. So here there’s a possibility that code could be surreptitiously hidden to transmit user names & passwords to another server. In fact there was malicious code added in to the core of WordPress by a hacker at the beginning of last month (so if you’re still using version 2.1.1 you need to upgrade now – the WordPress blog has more details).
So all in all it’s probably time for us to become more cautious and in all the buzz & excitement of Web 2.0 applications to heed some of the warnings of the security community. Somehow that has to be achieved without halting the innovation and momentum produced by a burgeoning development community.
