Critical Web 2.0 vulnerability discovered

Web 2.0 may be the "it" web technology of the moment for businesses and consumers alike, but launching web-based applications is not without peril. That's what security firm Fortify Software has proven, by discovering what it calls a "pervasive and critical" vulnerability in the most popular AJAX frameworks that would allow for so-called "JavaScript Hacking." According to eWeek, only DWR 2.0 (Direct Web Remoting 2.0) has features that prevent such hijacking--apps created using Microsoft ASP.Net AJAX (aka Atlas), Google Web Toolkit and xajax are all vulnerable. The bug lies in the way that toolkits implement JSON (JavaScript Object Notation). "The attacker can put code in a Web page," said Brian Chess, Fortify Software's co-founder and Chief Scientist. "If he can trick you into running it in your browser, your browser can look like you and act like you, but it's not you; it's actually shoveling data back to [the attacker]."

For more on the vulnerability:
- see this eWeek article