2008-05-01 13:24:24
By Tim Brown
Securing networks, of both the social and electronic variety interests me. The old saying that No man is an island was never more true than it is now. We're an interconnected species and those connections span the globe. Anyway, with that thought in mind I thought I'd share two interesting developments in the security domain that have occurred this week.
The first concerns Windows Vista's gadgets, a topic I've discussed before, and indeed released a paper on. MWR have also been doing some work on them and they've started to publish advisories for some of the issues they've found. All well and good, but they issues they describe require an attacker capable of intercepting traffic between the gadget and the web server, the script is injected into the gadget and therefore is executed. Yes, MWR have decided that man in the middle attacks should be considered harmful! Personally, I think the release of such advisories is somewhat disingenuous. True, remote code execution can result, but when you think about it, surely if you can man in the middle, there are more structural failings in your network topology. Maybe now is the time to start releasing Javascript injection advisories for every web app in existence?
Secondly, the good folk at the BBC have been playing with the Facebook API and have found a problem with users default profile permissions. As a disclaimer, I've seen the details, but it's fair to say that once you consider the model of allowing code to be hosted on 3rd party systems, and provide an API allowing said code to query your users data, all bets are off! Even MySpace hosts applications that interact with its API. Actually, given that the problem lies in default profile permission, perhaps it's the end user that is to blame, but given people lack of understanding, I still think sensible default regarding access to users data should have been set. It will be interesting to see whether Facebook's reaction hits the main stream security press.
Mood: Amazed
Music: Nothing playing right now
You are unknown, comment