Web 2.0 makes it easy for users to share content with each other. When widgets get compromised via Web application vulnerabilities or other means, Web 2.0 sites can end up serving malware even if those sites are not directly hosting the malware themselves.
How prevalent are these threats?
“70 percent to 80 percent of threats propagate through Web application layer attacks instead of network layer attacks, yet most of the security budget is allocated to network-layer attacks,” said Neil Daswani, CTO and co-founder of Dasient. “There will be a shift over the next few years where increasing parts of the security budget will get spent on application layer defenses to match the current threat landscape.”
Widgets, of course, are pieces of code that can be used to render a part of a Web page. They often provide some piece of functionality of an overall Web page. For instance, a widget can be used to render an ad or a video. At the same time, a widget does not always have to add something visual to a Web page. Some of the most popular ones, for example, do not render any content, but just gather information about site visitors to allow website owners to conduct audience measurement and learn about their user base.
According to Dasient, the most popular widgets are: those used for Audience Measurement such as Google Analytics, Quantcast and ScorecardResearch; advertising widgets by DoubleClick and Google AdSense; Google Ajax Widgets; and Facebook Widgets.
They are sometimes referred to as “third-party” widgets when the site that is using the widget is not the site that built the widget–the code and function that is provided by the widget comes from another site. Thus drive-by downloads can occur by exploiting structural vulnerabilities that exist in third-party widgets?
“While the widgets themselves are legitimate, cybercriminals will compromise them and/or serve malicious code through them to spread malware,” said Daswani.
That in turn leads to all kinds of problems. Malware ends up posted on legitimate sites which then causes these sites to get to become blacklisted by Google, Yahoo and other search engines and browsers. Reason: When a website uses a widget to render a part of a page, the site owner is effectively giving control of that part of the page over to a third party. If that third party gets compromised, the site owner is often not in the best position to have visibility or take action to mitigate the issue.
Preventing malicious widgets
“Websites should take preventative steps to vet third-party widgets that they use on their site,” said Daswani. “However, even though a third-party can be secure at the time of vetting, they could get compromised anytime thereafter. As such, website owners can have the third-party widgets on their sites monitored so that they can quickly react to security issues that may arise from them.”
Research by Dasient reveals that most of the high-traffic sites on the Web depend about a relative handful of similar widgets. Thus a fairly narrow line of vigilance over widgets can reap big rewards.
“Compromise of just a few popular widgets can be used to turn most trafficked websites on the Internet into distribution vehicles for malware,” said Daswani.
If you follow the pattern of audience measurement and advertising widgets that have been compromised, it shows the same few widgets over and over again. Most of the top 1000 sites on the Web, per survey, are dependent on the most popular widgets.
“Such widgets can be targeted by cybercriminals to spread a mass Web-based malware attack against the most highly trafficked part of the Web,” said Daswani. “The good news is that the top widgets do not have dependencies on each other.”