The buzz around the new technology echoes--complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. And the sense of deja vu goes even further for some experts. Just as in the , they say, the development momentum is all about features--and protections are being neglected.
"We're continuing to make the same mistakes by putting security last," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "People are buying into this hype and throwing together ideas for Web applications, but they are not thinking about security, and they are not realizing how badly they are exposing their users."
, Samy and Spaceflash are among the higher-profile attacks that have surfaced online. The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book. The and worms both spread on MySpace, changing profiles on the .
lacks a precise definition; it's used mainly as a catch-all term to cover Web sites that are more than just plain, static pages. Web 2.0 sites are more interactive, allowing people to tag photos posted online, for example. Unlike their predecessors, they deliver an experience more .
But AJAX doesn't just help make Web pages and sites more interactive. It could also provide ways for hackers to hit a Web server and to exploit sites in attacks on visitors, experts said.
"Think of it like a house," said Hoffman, who will give a presentation on AJAX security at next week's Black Hat security event in Las Vegas. "A traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door. You can put the biggest locks on your front and back doors, but I can still get in through a window."
AJAX also increases the possibility of so-called , which occur when the site developer doesn't properly code pages, experts said. An attacker can to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said. Big-name Web companies such as Microsoft, eBay, Yahoo and Google have all experienced .
But cross-site scripting issues are only one risk. Other potential problems in AJAX code include race conditions, code correctness issues, object model violations, insecure randomness and poor error handling, said Brian Chess, chief scientist at Fortify Software, a maker of .
Such errors could expose people's data, let one user control another user's session, allow malicious code to run, or enable other attacks, Fortify said. The company's researchers found examples of all of these errors in sample AJAX code in a December analysis of "Foundations of Ajax," a how-to-book aimed at software developers.
"Since the code samples (in the book) are likely to be regarded as a best-practices guide, many software developers worldwide will learn insecure coding habits," Chess said.
Ryan Asleson, one of the authors of "Foundations of Ajax," said he had not heard of the alleged flaws in the sample code. However, he said, if those problems do exist, it is possible, because the code was kept as simple for a large audience. "We never intended the code that's in there to actually be production-ready code," he noted.
The key to preventing security issues is developer training and practices, Asleson said. "I think it would be naive for anyone to say that there are no security problems," he said. "There are a lot of things that developers can do that can open all kinds of security holes."
But Asleson, who aside from authoring two AJAX books is also a developer, disagrees with the notion that Web developers neglect security. "In some ways, there are some parallels between what we saw on the desktop 10 years or so ago. But back then, security really wasn't really on anyone's radar, and today, it very much is," he said.
That sentiment was echoed by Google and AOL, two of the Web's giants. Google is a big AJAX fan, Douglas Merrill, vice president of engineering at Google, said in an interview via e-mail.
"In AJAX development, like all software development, it's important to carefully address security and build products with the user's best interests in mind," Merrill said. One of the benefits of Web-based applications, he noted, is that deploying fixes is typically fast and easy, requiring no action from the user.
Though Google hasn't been completely free of Web site flaws, security is part of the design, development, delivery and operation of its products and services, Merrill said.
"In our experience, processes where security is 'done' only by a security team are not scalable and tend to be ineffective," he said. In contrast, we strive to integrate security into the overall product development process."
Bigger is better?
AOL said it believes large Web companies do a better job at security than small ones that are just starting out. "We have the advantage of more than two decades of experience and a large professional security team to help us keep new and existing products secure," company spokesman Andrew Weinstein said.
There is a rush to try and create the next MySpace, Flickr or Google Maps, Hoffman said, and there aren't many barriers to entry. But simply building the Web site is not the end of the development work, he added. Developers have to be security-conscious, about both bugs and the unanticipated malicious use of built-in features, he said.
Yahoo said it strives to protect members' information and to help with security across the industry. "We have a dedicated team of experts that ensure security is top-of-mind among our engineers and also help developers create secure services through a variety of methods throughout the engineering process, including developer education, infrastructure, reviews and tools," a company representative said.
At MySpace, last October's Samy worm is considered one of the first to exploit a cross-site scripting flaw. It exploited vulnerabilities in the MySpace site to add a million users to the author's "friends" list. When a MySpace user viewed an infected profile, his profile would in turn be infected and become infectious.
Both attacks were relatively innocent. But experts are cautioning that such flaws could be used in much more serious incidents. "I don't think the attackers, or the defenders, are up on Ajax yet," Chess said.
The burden rests on Web site developers to make sure their users and servers stay safe, experts said. Internet users can protect themselves to some extent using PC security software, such as virus and phishing shields. But such applications are typically most effective after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) or blacklists of known malicious sites.
"The end-user ends up getting screwed, but the Web application really has the vulnerability in it," Hoffman said. "The only people who can fix the problem are the actual people who run the Web applications."