Tuesday, March 3, 2009

White House removes YouTube embeddeding from its website

The Register and the Washington Post both report that the White House has removed YouTube from its site since it was setting cookies which tracked viewers to the whitehouse.gov site, even if the website visitors did not actually play the video.

Taking a step back: Maybe the worrying thing about embedding third-party components on your website should be.... embedding third-party components on your website. Remember the furor about ActiveX - which was for embedding components on websites and in applications? When did people lose the fear about embedding third-party video, maps, and social networking onto their sites?

I gave a presentation at RSA 2007 about security risks in Web 2.0, including attacks such as JavaScript hijacking. If you can get your code to run in someone else's Web page, then you have many options - both commercial (tracking cookies) and malicious (JavaScript hijacking). Click on the image below to get the full presentation.

The solution is to vet third-party components before their JavaScript is blindly copied-and-pasted into a website. Also, the content of these JavaScript components (e.g. code which is setting a cookie, or "phoning home" using an XMLHttpRequest) must be scanned, using an XML Gateway. Otherwise, the attractions of Web 2.0 end up becoming major security and privacy risks.