Here is our take on news, art, ideas, technology, the web, and things we like - join the discussion and don't forget to subscribe to the RSS feed.


   Dusko Ojdanic

Widget Jacking

The Internet has touched all aspects of our lives. Often we take it for granted, noticing only when our connection to the web fails. Rarely do we consider how the web works or the inherent risks which browsing also carries.

Background: Social widgets

Social networks (SocNets for short) provide different kinds of widgets available for embedding into web pages. The widget resources (images, javascript snippets) are hosted by the social network servers and belong to their domains.

The way to incorporate a widget into a web page is to add a link to a particular widget resource. This causes the web browser parsing the page, to send a request to the SocNet’s domain. Along with the request, the browser will send any cookies corresponding to that particular domain in the shape of third party cookies.

Now, lets assume that the person accessing the page is also a user of that particular SocNet and that he has logged into a SocNet site in a different browser tab. This would mean that the browser already has a cookie belonging to SocNet’s domain and, more importantly, this cookie contains the person’s authentication key, socalled session ID. This, ‘first party cookie’ will be sent with the request for the widget.

The problem: Widget jacking

Due to being a prime target for hacking as shown by Facebook and the Firesheep incident, social networks have stepped up their efforts to provide security for their users. In light of that most of them are in the process of switching to exclusively using secure HTTPS communication.

This makes session ID capturing or session hijacking nearly impossible, which leaves a small, but important, hole in their security practice: Widget jacking.

When accessing a SocNet website directly, the user and his session ID are protected by the encryption provided by HTTPS. But when accessing websites which contain SocNet’s widgets, whether the session ID will be sent in the clear or encrypted depends only on the type of link used to embed the widget.

If the link uses HTTPS protocol, the cookie will be encrypted and everything is fine. If a plain HTTP link is used, the cookie and authentication info it contains are sent in the clear, available for anyone listening in the conversation to capture and abuse.

So, should you be worried?

‘Who is going to be listening in on my conversations?’, you might ask. Probably no one, but there are risks which you should be aware of. The most important of these is open access points. These are available at airports, restaurants, coffee shops and the like. They are meant to be a convenience and additional feature for attracting the clients, but they also pose a huge security risk.

When you access a protected access point, you have to provide a password. That password is used as a key for encrypting the communication between you and the access point. The strength of the encryption varies depending on the technology used, but it always presents an obstacle a potential attacker would have to overcome – before being able to access your data.

Using an open access point means no password (convenient!) and no encryption, making it trivial for all in the range of your wireless transmissions to listen in on everything your computer is sending, including your unencrypted cookies.

How can I protect myself?

On the client side, one thing you can do is to use a VPN service when accessing the internet via an open access point. VPN technology will create an encrypted tunnel between you and the VPN service provider, making it impossible for an attacker to capture your information.

On the server side, the responsibility for mitigating this threat lies in the hands of web developers embedding the widgets. So, if you are one of them, next time you go about embedding a Tweet button, remember that the site visitors depend on you to make their browsing safe.


Leave a Reply

Your email address will not be published. Required fields are marked *