Widgets, or mini Web applications, are popular tools or Web add-ons for users to express themselves on different Web 2.0 applications, such as Facebook or Twitter, or for organizations to
In this tip, we'll explain how assessing the security of the widgets in Web 2.0 applications before incorporating them into their Web 2.0 environments can protect businesses Web visitors, internal users and, ultimately, their corporate reputations. Though there are legitimate business uses of Web 2.0 widgets, particularly for incorporating content from third-party sites like Facebook, Twitter, Google and others, these widgets can all too easily distribute malware and malicious code, or potentially advance other attacks.
Web 2.0 widgets explained
Widgets are independent applications or snippets of code from third-party sites that can be used independently or included in other websites and Web applications. They often display content, like news items or press releases, for example, but they can perform other actions too, like display a Twitter feed or include a recent blog post from another page or site. Twitter widgets let users display individual tweets on websites that can serve as real-time updates for site visitors. Similarly, Facebook widgets allow content from Facebook to be served when visiting a third-party website.
Security threats from Web 2.0 widgets
Malware authors started taking advantage of widgets as an attack vector several years ago, as noted in a 2008 advisory from Fortinet Inc.'s FortiGuard Center, which highlighted the Zango malware that was distributed by a malicious Facebook widget. Such threats aren't exactly new, but similar ones are plentiful in the wild today, and like Web 2.0 applications themselves, they are constantly evolving.
Web 2.0 widgets not only pose a security risk to enterprises, but also to individual website visitors. Risk scenarios to the enterprise vary depending on specific widgets used, but typically an individual employee would fall prey by accessing malicious widget content on the Web that affects his or her computer by planting malware that seeks to infect the network or steal sensitive data stored on the user's computer.
Web 2.0 widgets: Enterprise defense strategy
Despite these threats, there are ways to securely allow widgets to be used in the enterprise, both by users for their own consumption and when building mashups for external use. To protect an organization's Web visitors from malicious Web 2.0 widgets, there should first be a security awareness program in place for enterprise Web developers when including third-party widgets into websites they develop. Developers should be made aware of the potential risks from such widgets and taught to evaluate the security of the widgets before publishing them, a step easily forgotten given how simple it is to publish a new widget to a site.
To protect internal users from putting company networks and data at risk, use the standard antimalware protections. A combination of network and endpoint defenses will protect users from most malicious content encountered via a widget. Various network appliances -- often the same devices your organization may use to block basic malware, Web proxies, etc. -- include protections for social networking. Some devices offer this in the base functionality, but others require additional licenses or modules to monitor for these types of threats.
Awareness of the potential threats and ensuring that adequate antimalware protections are in place are critical to protect against Web 2.0 widget threats. Malicious or hacked Web 2.0 widgets can easily distribute code from third parties that can harm your infrastructure, steal your sensitive data or abuse the trust consumers Web visitors have in your organization. Going forward, it's critical that your enterprise not only realize that these mashups can be dangerous, but also implement the proper protections and practices to prevent them from causing harm.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in July 2010