Gmail vulnerability - Web 2.0's

When a flaw in Google Web-based software design was discovered earlier this week, everyone was startled by the worrying trend of security for IT fields.

That is what needs to be done to protect the internal system as well as important data, when employees use email services or collaborative software must use the business owner's computer.

Google Mail's security malfunction was first published on the Googlified website. Accordingly, problems began to arise from the way Google software stored information in a JavaScript file on the company's server.

Before Google proceeded to install the patch, a hacker could completely override JavaScript Object Notation, also known as JSON, the element Google used to send information from its server to the user's machine and reserved it. Access to all contact information stored in the user's Gmail account, provided that the user has logged in to Google. This phenomenon is called 'cross-site request forgery'.

Thanks to JSON, web mail clients are able to automatically enter the address in the 'To:' field in the compose text as seen, ie when the user just needs to type a few words in the recipient's saved address Lists, immediately JSON will help complete without having to hit all.

Google also acknowledged, on the first days of the new year, they received a warning about an issue involving the use of JSON objects that affected many of the company's products. Heather Adkins, Google's information security manager, said: ' Those who are abused will expose information unintentionally '. Google announced that the problem was fixed within 24 hours of receiving the notice.

Gary McGraw, chief technology officer of Cigital, the Web security service provider commented: ' Google corrected it very quickly, and it also made you understand that the problem is serious '. According to him, Google's newly discovered security vulnerability is' the beginning of a series of problems that will occur when people take SOA seriously as well as web 2.0, JavaScript-based technologies, client-side extension and browser-based features '.

Of course, most security experts agree with the view, protecting web application software is paramount for a common prosperity of both system and data security, but they still argue with The point is whether security holes in customer-facing web applications such as web mail, chat and virtual social networks like MySpace and Facebook are potential threats to the IT system of businesses. or not.

Employees are "innocent" of using web mail and other web services on their working computers, while those in charge of IT management are hardly able to understand the security. of those web applications. Yankee Group's senior analyst, Andrew Jaquith, said that it is something we do not understand about the web application that makes them very potential.

He said: ' Since they are not fully understood, they will attract the great interest of hackers '. He also said that " this practice will also cause IT managers to worry a lot because applications for customers are becoming more and more practical parts of the collective IT infrastructure ."

This also means that employees sometimes "throw" a whole bunch of work-related information into huge data archives managed by web mail systems. A very simple example is this, when an employee cannot remember the password of a certain website, they immediately type that password and send it to the web mail account to access the website from any Which network is the computer connected to?

Everything will be nothing to say if there is no school password of this type can access work-related pages, and then, web mail security will become a very painful problem. head'.

' Web mail accounts will give you access to everything', said Jeremiah Grossman, founder and CTO of WhiteHat Security, the inventor of web application security assessment software. . Grossman also worked for Yahoo as a security officer.

According to him, inter-page request forgeries are not only used to steal information from web mail accounts, because moreover, hackers will have access to any account that the user has access via, including bank accounts '.

Another suspicious situation is the case where hackers stole web mail users' IDs and passwords and then forged mail to their colleagues. Mr. McGraw explained further: ' All hackers have to do one thing to send email to users' colleagues, which can write,' I work from home today so please exchange jobs with I emailed '. This trick may be a big catch when a lot of work-related information will go back to that email account.

However, other security experts still consider employees using web mail to leak important business information unintentionally or deliberately still more dangerous than the business being attacked by malware.

Senior analyst Nick Selby of 451 explains: ' Which applications your employees use not under the control of the IT department in the company have become significant concerns. security topics. When your business is trapped by malware hackers, you can determine that when you check the endpoints, if it does, just isolate the infected endpoints. '

Currently, both Google, Yahoo and many other web service providers are passionate about the 'excellent' features of Web 2.0 built on JavaScript, they will also quickly overcome the problems. security holes, though it is impossible to "rejoice" when receiving information like Googlified only points out. Well, it might be impossible for IT managers to stop using web applications, but they still need to be very wary of the risk of data loss and the system's waiting time. '.

Do Duong