Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Potential Risks of Personalized Portal Start Pages

Published: 2006-03-05
Last Updated: 2006-03-05 04:46:30 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Personalized portal start pages have been around for some time, represented by sites such as My Yahoo! and My Excite. Encouraging users to use these sites as browser start pages, such personalized pages offer the convenience of fitting lots of data, such as news, weather, and stocks, on a single web page.

The new generation of portal sites, such as Netvibes and Google Personal Homepage, offers rich functionality that allows the users to include interactive modules in the start page. Before embedding your email or del.icio.us accounts in one of these pages, be mindful the potential risks of using such sites to process sensitive data.

I'd like to bring up two such risks for your consideration:
  1. Providing such portal sites with login credentials to your other accounts threatens confidentiality of your username and password.
  2. Using portlet modules created by a third party may allow unauthorized access to the web session and other information.
Let's consider a few examples.

How Does the Site Store Your Information?

Netvibes is a popular new-generation start page site, offering a clean interface and a nice set of features. In addition to allowing its users to embed a range of data sources on the personalized start page, Netvibes includes several interactive modules. One of them lets a Netvibes user keep an eye on his or her Gmail mailbox:



It's neat. How can Netvibes connect to the user's Gmail mailbox? The person has to supply his or her username and password to Netvibes:



If you decide to take advantage of this functionality, keep in mind that Netvibes makes no representations regarding the safety of your login credentials. The credentials may be sent to the portal server in clear text via HTTP, and you shouldn't expect the credentials to be stored in an encrypted manner. As stated in its Terms of Use, "... your use of the Service is at your sole risk. ... You understand that the technical processing and transmission of the Service, including your Content, may be transfered [sic] unencrypted... "

Other Netvibes modules that might threaten your data's confidentiality allow logging in to Yahoo! Mail, POP accounts, del.icio.us, and Blogmarks.

Who Has Access to Your Information?

Another issue with using such portal sites to process sensitive data is illustrated by portlet modules that users can add to their Google Personal Homepage. It is relatively easy to write custom modules for this site. Google offers numerous such portlets, created by third-party developers for adding to Google Personal Homepage.

When a user attempts to add a third-party module to the personal home page, Google thoughtfully presents the person with the following warning pop-up:



In this message, Google reminds the user that the module, written by a third-party developer, has the ability to access any information the user supplies to this module. If the module you are adding asks for sensitive information, be sure you trust the module's developer before supplying the data.

One nice aspect of third-party modules for Google Personalized Homepage is that its users have the ability to inspect the code that comprised the modules before adding them to the page. If you're well-versed in JavaScript and HTML, this might offer a level of comfort.

What Other Information Can the Module Access?

Another concern related to the use of personalized start pages is that one portlet module might gain access to sensitive session information or to another module. Google warns its users when it notices that a module carries this risk. For instance, when a user attempts to set up a Bloglines notifier module for Google Personalized Homepage, he is presented with the following warning:



In this message, Google alerts the user that the module could give its author access to sensitive information associated with his google.com session, and implies that data from other portlet modules will be accessible, too.

In Conclusion...

I like the idea of personal personalized start pages that improve upon the concept that a portlet module should only contain static data. At the same time, I am weary of using these sites for processing data that I consider sensitive. I think you should be careful, too. There are many new web sites springing up in attempts to offer modern versions of start-up page sites. I hope some of them decide to differentiate themselves from their competitors by implementing a solid data segregation model and a reliable way of protecting their user's data.

For a long list of new-generation personalized start pages take a look at the AJAX Homepages Market Review article on the Web 2.0 Explorer blog.

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
Keywords:
0 comment(s)
Diary Archives