Mashups–online applications that combine data and tools from different websites–are becoming increasingly useful. Although they started out as simple consumer programs, such as a tool that placed housing listings from Craigslist onto Google Maps, mashups have grown in complexity and are becoming popular with corporations, too. As a growing number of tools are released to help people easily build mashups, experts are also taking a look at how to head off the security risks.
Many mashups share text only, says David Boloker, cofounder of the OpenAjax Alliance and IBM’s CTO of Emerging Internet Technologies. They risk, at worst, including incorrect or copyrighted data. However, as mashups become more complex, they’ve begun incorporating computer code from multiple sources. “At this point, we’re now bridging to untrusted code,” Boloker says. For example, a real-estate company might want a mashup to work with listings from an internal database. The mashup might run the listings through third-party tools for comparison with competitors’ prices in the same zip codes, and then use an additional third-party tool to map all the houses on the market. Without security safeguards, this mashup could make the company’s internal database vulnerable to malicious code in any of those third-party tools.
Web browsers weren’t designed with mashups in mind, and “the warts have been there from day one,” Boloker says. Browsers contain a security feature called the same-origin policy that’s meant to keep malicious code hosted on one site from grabbing data, such as stored credentials, off another site. The same-origin policy prevents websites from one domain from requesting data belonging to another domain.
However, Helen Wang, a senior researcher in the systems and networking group at Microsoft Research, explains that the same-origin policy fails by forcing “Web applications today to either sacrifice security or functionality.” She says that a lot of great functionality, such as that of mashups, comes from using tools from multiple sources. The problem is that when the website creator embeds code written by a third party on her site, the same-origin policy no longer offers any protection, and the embedded code likely has access to information stored on the creator’s site. For example, if the creator of a forum embeds a mapping application on her site, the code in the mapping application could potentially access log-in data for the forum. Mashup makers, Wang says, either give up security by accepting those risks and trusting third-party tools, or they give up functionality by denying themselves the use of untrusted tools.
Chuck Willis, principal security consultant for Mandiant, an information security firm, says that many developers would like to see some of the controls, such as the same-origin policy, relaxed. The average user needs things to stay the way they are, he says, since most users don’t understand the consequences of giving access to third-party tools. But efforts to relax existing protections need to be approached with care.