As demonstrated by the gmail contacts list hijack attack, web 2.0 technologies are quite vulnerable for attacks. And while GMail has a rather good security record, cross-site-scripting is the security issue to watch out for. Especially since many web2.0 sites deal with sensitive data (especially data you probably shouldn’t have given them in the first place…) this is rather interesting.

It’s not new (mind you, the whole web 2.0 thing is not new), but it’s being used heavily now, and a lot by people who don’t pay enough attention to security. The whole web 2.0 thing is quite naive, mind you.

I expect to see more attacks of this type to surface. And in the long run I think we’ll either need to use some web interface specification language (so the browser only allows whitelisted access; think robots.txt) or new security filters in browsers will break most (if not all) mashups.

Maybe it would be best to add some real WSDL/SOAP code to the Javascript core (and in this process add all the stuff the monster javascript libraries around have been adding, effects, event queues, sane callback handling, getElementById shortcuts etc. - it just doesn’t make sense to download the same 200k Javascript from a dozen sites. Dojo, Mochikit, Prototype, …).