I eluded to this eventuality in my white paper on Cross-Site Scripting Worms and Viruses. In my opionion this is the likely attack vector for the next BIG attacks on the Web.
Thanks for the kind comments, I'm glad you found the article thought provoking.
We've spent the last 20 years making our operating systems more and more secure and our browsers bomb-proof. Unfortunately many of us now do most of our work inside the browser itself and outside the firewall.
It's only going to take one semi-successful Web 2 or MySpace add-in company with a neat little blog widget that surreptitiously harvests document data and we're going to see passwords disappearing everywhere.
I personally think that the answer lies in segmenting scope within the browser.
We have to get the tools to ringfence foreign code and data or else things are going to get very messy indeed.
Yah, I think right now, security on the Web is basically completely broken. User have no way to protect themselves. Things wouldn't be so bad if the browser vendors were actively working on something, but their not. What you can do with JS is so amazing now, hard to tell where we go from here. There are lots of ideas, just no implemenation.
Post a Comment