Tech Industry

New hole in Web security reported

Many of the Internet's most popular Web sites are vulnerable to security threats, according to a new report.

Many of the Internet's most popular Web sites are vulnerable to new security threats, according to a report released today.

The problem involves "authentication form fields" used to get into many sites, according to Web security firm Miora Systems Consulting. It says companies and organizations frequently misuse hidden form fields as security measures on their sites.

The firm estimates that the problem could affect more than 90 percent of Web sites engaged in online transactions. Miora asserts that the problem is more serious than previous warnings that hidden form fields are not actually hidden.

Hidden form fields are used with CGI (common gateway interface) programs. They maintained confidential information before "cookies" were available and provided a mechanism for implementing security features.

These special fields, found on user-submitted HTML forms, contain information that is, by default, not displayed by the Web browser. This information is passed along to the CGI programs, along with user input, to assist in processing information for marketing and other purposes.

But many Web designers do not realize that use of hidden form fields can leave proprietary information open to major security risks, according to Miora Systems. This form field vulnerability is an "allowed path," meaning it is not protected by firewalls, which are primarily designed to block traffic that should not have access to the site.

Analysts say the hidden form fields issue is a relatively new one.

"But that doesn't mean it isn't out there. It is one of many out there," said Ted Julian, a security analyst with Forrester Research. "It's pretty early to say ultimately that this is a major concern. But it is important to find these issues and address them. That's how we make progress."

Starting today, Miora is offering a fix to the problem that can be downloaded free of charge. Because the problem results from insecure Web site content, rather than a vendor-specific software glitch that can be quickly patched, the company said it decided to hold off announcing the problem until it found a way to fix it.

"There are a lot of ways the fields can be abused," said Stephen Cobb, director of education and research at Miora. "We've found that people have masqueraded as someone else by downloading the field form and filling it out on their hard drive then putting it back. The Web server can be fooled to think the person is who he says he is."

Miora defended itself against potential criticism that it is publicizing the problem to scare up more business. That is a charge that could be leveled at any security-related company that tries to raise awareness about a particular security concern, it said.

During the firm's research for its report, Cobb said he heard horror stories of people using similar tactics to submit bogus online transactions and falsify authentication credentials.

According to the company, there are three basic ways to address the security hole:

  • Eliminate all hidden form fields from Web sites.

  • Redesign CGI programs, and eliminate some hidden form fields.

  • Introduce a protective element on the Web server that addresses the problem.