February 8, 2007
@ 11:11 PM
Comments [4]
Netvibes: A Lesson in How to Build an Insecure Widgets Platform

Niall Kennedy has a blog post entitled Netvibes module developer collects web credentials, personal content where he writes

A developer created a Netvibes module and submitted it for inclusion in the Netvibes Ecosystem module directory. A Netvibes employee examined and approved the submitted module for inclusion in the directory. The remotely-hosted module was then altered by the developer to retrieve stored preferences from other configured modules and store information from other modules loaded in the page such as the contents of a webnote, the user's latest Gmail messages, upcoming appointments and contacts, etc. The developer stored this data in a remote database and later examined his collected findings.

Each Netvibes module is rendered inline, meshing the markup generated by the module with the rest of the page's content. A module developer is encouraged to access only their own module's content using a special Netvibes variable, but any developer can request other content on the page through standard JavaScript or the Prototype JavaScript framework.

I talked to Niall about this on IM and upon reading the blog post from the Netvibes team as well as Niall's summary of the situations it seems they are doing at least three things wrong from a security perspective.

  1. 3rd party gadgets hosted inline within the page instead of within iframes which means the gadget can walk the DOM and interact with other gadgets on the page.
  2. 3rd party gadgets are fetched from 3rd party domains instead of a snapshot of the code being run from their domains which means malicious developers can alter their gadgets after they have been submitted
  3. 3rd party gadgets not hosted on a separate top level domain which means gadgets may may be able to set and read cookies from the *.netvibes.com domain

All of these are safeguards that we take in Windows Live Gallery, Windows Live Spaces and Live.com to prevent malicious gadgets. I'm stunned that the response of the Netvibes developers is to change the text of their warning message and allow user rating of gadgets. Neither of are significant mitigations to the threats to their service and I'd recommend that they reconsider and actually secure their service instead of pushing this onto their users.


 

Categories: Web Development

« Windows Live Mail is now Windows Live Ho... | Home | The Marketing for the Upcoming Iran Inva... »
Friday, 09 February 2007 00:15:57 (GMT Standard Time, UTC+00:00)
At least one thing is missing in the answer from netvibes developers.

We are in the process to launch our new Widget API (that we are working on for months) with all three points you mention implemented. This should be public in a few days and i hope a full launch should be completed in 1 month.

Be sure this is a priority for us.
François Hodierne
Friday, 09 February 2007 07:38:33 (GMT Standard Time, UTC+00:00)
#1 seems like a feature, not a bug. This allows widgets to modify the page as they see fit. This can lead to some very powerful functionality.

Assuming the code is trusted, why not let them do this?
Srini
Friday, 09 February 2007 20:17:23 (GMT Standard Time, UTC+00:00)
Srini,
The point is that the code isn't trusted. It's 3rd party code which has been submitted to their 'ecosystem' (aka 3rd party code gallery).

There is no chance all 3rd party code can be trusted because it would be too expensive and too limiting to put every 3rd party widget through extensive code reviews by the company's Javascript gurus before it is accepted. At best they can have a certification process where a subset of the 3rd party gadgets are reviewed and then become 'trusted' but even then it is probably a bad idea to have gadgets that interact with other gadgets especially if they aren't authored by the same group.
Dare Obasanjo
Monday, 12 February 2007 02:28:40 (GMT Standard Time, UTC+00:00)
I think you mean 'unsecure'.

Insecure is when you run around needing people to tell you that you don't look fat.
Joe
Comments are closed.