Risk
7/3/2007
12:21 PM
50%
50%

Security Star Shares Top 5 Most Popular Web 2.0 Services Sure To Be A Hit With Hackers

As I was checking out what's going on today (and, let's be honest, thinking about my July 4 plans), I came across a blog posting that I couldn't resist sharing with InformationWeek readers. It's entitled "The Top 5 most Popular Web2.0 Services Hackers Cannot live Without," and it includes mashups, RSS readers, and an online database app.

As I was checking out what's going on today (and, let's be honest, thinking about my July 4 plans), I came across a blog posting that I couldn't resist sharing with InformationWeek readers. It's entitled "The Top 5 most Popular Web2.0 Services Hackers Cannot live Without," and it includes mashups, RSS readers, and an online database app.The blog is the brainchild of 22-year-old, London-based security consultant (and self-proclaimed "life-hacker") Petko D Petkov, who goes by the handle "pdp." More info about Petkov can be found here. Petkov's list is based on the findings he recently presented at the 2007 Open Web Application Security Project, or OWASP, Appsec Conference in Italy.

1) The Web 2.0 service that Petkov lists first is Yahoo Pipes, which he refers to as the "web hacker power tool" that can't "be compared to any other service available on-line," not even Google Mashup Editor. Yahoo describes Pipes as a hosted service that lets the user remix feeds and create new data mashups in a visual programming environment. Petkov calls Yahoo Pipes "the most elegant tool for all sorts of malicious purposes on-line."

2) Dapper is Web 2.0's "scraping service," Petkov writes, and is most suitable for community-supported malware code. In short, Dapper makes it easier to create worms that propagate across the entire Web.

3) Feed43 takes Dapper to another level, allowing the malware writer to create regular expression-like rules, Petkov writes. Pronounced "feed for free," it's an online service that serves as a proxy between a news reader application and third-party Web sites that don't support RSS natively, allowing you to convert any Web page into an RSS feed. "Do you want to extract the latest Google Hacking database entries, or you may prefer to look for SQL Injection payloads? No problem," Petkov writes.

4) Zoho Creator is an online database application, or as Petkov puts it, "MS Access for the Web." The application lets you do things like phish users using client-side JavaScript. "For example, create a new database that has fields for the username, the password and of course the website where the credentials were retrieved from. Now link that to your JavaScript. When you hijack the login forms [you are] after, just send the credentials across Zoho. The Service will store them for you and will send you a confirmation email," he writes, adding, "I'm loving it!"

5) Google Reader RSS reader "is one of the most powerful feed backup and mashup services on-line," Petkov writes. The reader can be used to backup stolen credentials and mash them with other malicious feeds. "It is so powerful that you can export to mashed feeds again into ATOM and then feed it back to your Trojans," he concludes.

Petkov calls a "security mashup" a way to create largely distributed testing infrastructures, a mechanism for instantly accruing dynamic knowledge that, he admits, has a lot of potential for bad purposes, and a way to bypass the "same original policies" to an extent.

Who knew Web 2.0 could be so dangerous?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.