"The vulnerability is widespread," said Brian Chess, chief scientist and a founder of Fortify, in an interview. "If this goes unfixed, then this will be the same kind of problem we've had with buffer overflow. We've known about that for 30 years and we still don't have a handle on it."
While the vulnerability is widespread, the attacks aren't yet, Chess said. But he's sure they're taking place and he's also sure the problem will escalate.
"Historically speaking, the good guys are the last to know," he said. "This would be a record if the good guys were talking about it before the bad guys. And I don't think that is happening here."
Craig Schmugar, a threat researcher at McAfee, said Web 2.0 sites are putting themselves at risk. "Web 2.0 is growing at such a fast rate that security on many of these sites isn't a priority," he said in an interview. "It all comes up when they have to decide between securing the site and supporting functionality." Securing the site, he added, doesn't always win out.
Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, said the user-based content on many of the Web 2.0 sites also is contributing to the risk factor. On sites like MySpace, hackers could even create their own page and embed malicious code, or they could become a trusted "friend" to someone else, add a comment on their page, and embed the malicious code in it, he explained in an interview.
Schmugar agreed with Ullrich that sites often are enabling user-based content at the expense of security. "It's doing things the Web site shouldn't be allowed to do," he said. "It's breaking out of the trusted relationship. MySpace is an extreme example because all of the content is user created. You end up with these valid sites with malicious pages in them. You could go to a site you visit all the time and be hit with this."