Back to my page

Blog

Security update in 3rd parties modules on the ecosystem

We were alerted yesterday on a French blog about a security vulnerability in webnotes when using a 3rd party module. A fix was due to be launched later this week, but given the recent alert, we have decided to push it today: this vulnerability is now fixed. This exploitation was used in an Ecosystem Module. This module was blocked from the Ecosystem and we have been working with our API team and external developers to improve the security of the API relating to this case.

Unfortunately one of our developers who checks all the modules and analyzes them, was a victim of this module and his personal development environment was exposed online. By reading the content of one of his webnote, the module developer gained access to his personal development database and published private screenshots online.

Our response was immediate because the module developer unethically exposed the vulnerability on his blog before contacting us. Thanks to our community of developers, we were alerted fast enough to work quickly and provide the fix. Fortunately his blog post was removed and he confirmed that he had no access to private user data and only to a development database.

Improving and maintaining the best level of security in Netvibes has always been our priority.

Nonethless, you should be very careful when you add a module from the Ecosystem.

We are planning to improve the security message that is available when you add a new third party module (your feedback would be helpful). It already states that you should not use modules that you don’t know and use them at your own risk. We should provide a clearer message.

We have received lots of interesting proposals and great input on new security features : secured tabs, Authenticated Regenerated Cookie-Trees, etc… Our developer mailing list or this blog is a useful place to discuss all these matters.

We will also start to introduce the user rating and the certification of modules in the Ecosystem.

We would love to hear your feedback on this subject.

Related posts:

  1. Netvibes introduce custom search modules and the long awaited twitter module
  2. Security software mistakenly categorize Netvibes as malicious
  3. Netvibes introduces Hotmail and AOL Mail modules
  4. Netvibes announce the Universal Widget API
  5. Netvibes anise version : box.net and iCal update
  6. Enter the Netvibes Universe (update)
  7. New Ecosystem : a better widget directory for Netvibes

This entry was posted on Monday, February 5th, 2007 at 12:22 and is filed under Service update. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Share/Save/Bookmark

65 Responses to “Security update in 3rd parties modules on the ecosystem”

  1. #1 | Peter Bissel | February 5th, 2007 at 16:44

    As I don’t like that there was a security hole, I would like to congratulate you for the short time you were able to fix it. You rocks!

  2. #2 | tommy | February 5th, 2007 at 21:21

    Is it an attack from Webwag or pageFlakes ?
    Bad news for me (and for you I am sure) ! But I am sure it could be done on other web portals as well !

  3. #3 | Mums | February 5th, 2007 at 23:02

    i confirm .. You rocks !!

  4. #4 | Tommy | February 6th, 2007 at 09:08

    How about adding a safe-list and a unsafe-list of modules (or signed/verified). Modules are by default not safe and get verified by Netvibes to a safelist. Modules not in safelist get additional warnings when added AND get certain security restrictions even if it cripples some of its functionality.

  5. #5 | Régis Freyd | February 6th, 2007 at 10:53

    To be honest, I will continue to use Netvibes as often as before. When I read such news, I totally trust your technical team to quickly solve the problem.

  6. #6 | Webmonkian | February 6th, 2007 at 11:30

    How did you fix this? Please explain in more detail. I assume you increased encryption on passwords… but more importantly how did you stop people changing 3rd party modules or stopping them from sending personal data back to their servers?

  7. #7 | David | February 6th, 2007 at 12:24

    Thanks for the transparency of this information. I posted a module 2 days ago and I didn’t realize how big was the problem. I think the user rating and the certification of modules would be a great idea for the future. Good work guys !

  8. #8 | sajsemegaloma | February 6th, 2007 at 16:53

    Yeah, what Tommy says makes sense… have a "verified by Netvibes" status for modules you’re sure are safe, and have the others warn you that you’re installing them at your own risk.
    The user-rating of modules is a good idea, but i don’t see how it helps with cases like this.

  9. #9 | Netviber001 | February 7th, 2007 at 16:10

    Hi,
    just a month a go I wrote a post on the Security issues with Ajax based homepages on my blog netviber.blogspot.com/200…
    There are 2 main source of problems:
    1) Netvibes can help me looking at my gmail, ebay, yahoo, and many other registred services if "I give them" my passwords in order to access directly to the services I am registred to.
    2) Netvibes offers modules, feeds, tabs that have been uploaded by external sources with no control by Netvibes as they mention it clearly when you upload them.

    Now we just had a problem with point 2, but what about point 1) Passwords used with Netvibes ?

    Netviber001

  10. #10 | Toms | February 8th, 2007 at 10:06

    Thanks for your efficient support !

  11. #11 | len | February 9th, 2007 at 14:08

    When I read the description of the attack (which is typical for web 2.0 services) I would as someone busy since 5 years with security recommend the following

    1. If you let users type in Passwords for other services it should never leave your server and that server should be encrypted and totally seperated and protected from the rest. You could already federate the live.com, Google, Yahoo environment by working with iframes for login but that needs some cooperation no ?

    2. It is just mind-boggling to me that you don’t give your applets a code. This code (encrypted) gives the API a profile. The API checks if the code is the same as the one he has in his database from the time it was proposed. If it differs it is ‘non-secure’ and certain operations are not allowed.

    3. I think you need an digital soldier in the frontlines who just looks at all kinds of incidents and logs all day and does nothing else and knows immediately if he sees something if it is normal or not and knows what to do next. Not only a security consultant who writes expensive papers for expensive products. A sniper, a watchguard. A human supported by lots of machines.

    hope you learned a lesson of five

  12. #12 | -M-ric | February 9th, 2007 at 17:17

    I was about to panic but everything seems to be under control ^^
    I’ll keep my mail module.

  13. #13 | Peter Bissel | February 10th, 2007 at 12:57

    Len, I’m working something like Netvibes, and you can beleive me, it’s very hard or not possible to do, what you’re writing. :)

    1. It’s not possible. The services are not provide interface would work so convenient and the same way as currently. Anyway, you *cannot* get back your passwords from Netvibes! I forgot one of my passwords, and tried it. It was not my luck (fortunately I was able to get it from another source), but I’m very happy, that they store it in a separate place.

    2. "If it differs it is ‘non-secure’ and certain operations are not allowed." The problem is that you cannot do this with JavaScript, you cannot disable operations.

    3. Why do you think, they don’t do that? :) May don’t, but as I’ve seen some hacks around the globe, I never seen so immediate response as now.

  14. #14 | aşk | February 10th, 2007 at 17:48

    Thanks for this good warn. I’ll be carefull about this.

  15. #15 | Muhabbet | February 12th, 2007 at 22:25

    This honesty is admirable…But you will be the winner at the end …

  16. #16 | Kral Oyun | February 13th, 2007 at 18:38

    Thanks, good document

  17. #17 | Burslar | February 15th, 2007 at 23:44

    What did you do to fix it ?

  18. #18 | tavla | February 24th, 2007 at 02:32

    hmmm

  19. #19 | Antonio | February 28th, 2007 at 13:31

    Very nice site! Good work.

  20. #20 | Antonio | March 1st, 2007 at 14:38

    Very nice site! Good work.

  21. #21 | Antonio | March 1st, 2007 at 14:39

    Very nice site! Good work.

  22. #22 | Antonio | March 1st, 2007 at 14:39

    Very nice site! Good work.

  23. #23 | Valderama | April 2nd, 2007 at 13:52

    Please audit your code. There may be other undiscovered exploits like this one. I have a lot of datas in my netvibes account.
    Many thanks.

  24. #24 | sohbet odaları | May 1st, 2007 at 04:09

    Please audit your code. There may be other undiscovered exploits like this one. I have a lot of datas in my netvibes account.
    Many thanks.
    Very nice site! Good work.

  25. #25 | aşk | May 1st, 2007 at 04:10

    Very nice site! Good work.Please audit your code. There may be other undiscovered exploits like this one. I have a lot of datas in my netvibes

  26. #26 | aşk | May 1st, 2007 at 04:10

    I was about to panic but everything seems to be under control ^^
    I’ll keep my mail module.

  27. #27 | muhabbet | May 1st, 2007 at 04:11

    Thanks for the transparency of this information. I posted a module 2 days ago and I didn’t realize how big was the problem. I think the user rating and the certification of modules would be a great idea for the future. Good work guys !

  28. #28 | hikayeler | June 10th, 2007 at 07:29

    I was able to get it from another source), but I’m very happy, that they store it in a separate place.

  29. #29 | Champigny | July 16th, 2007 at 11:44

    i’m really impressed too ! Good luck Netvibes

  30. #30 | sevgili ara | July 29th, 2007 at 02:46

    Thanks for your efficient support !

  31. #31 | sohbet | August 22nd, 2007 at 23:16

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  32. #32 | güzel sözler | September 7th, 2007 at 12:12

    Thanks for the transparency of this information. I posted a module 2 days ago and I didn’t realize how big was the problem. I think the user rating and the certification of modules would be a great idea for the future. Good work guys

  33. #33 | chat | September 7th, 2007 at 12:13

    Man, I knew all about malware infecting your computer – but infecting your site?? That’s not good news! I need to research this more – I never knew there was this kind of risk!
    I think Malware developers are obviously good friends with terrorists and drug dealers. Really. They’re just as bad these days – there antics are totally ridiculous, and I have a suspicion this problem is going to come to a major escalation soon and they are going to be tried as the criminals they are.
    Thanks for the heads up. I hope that the company that hosts my site is at least able to stop this from happening

  34. #34 | chat | September 7th, 2007 at 12:13

    Here is the code for how it was done. Basically you have a canvas which has the original image on it. Then set to the same size as the image you have another canvas directly on top. You set the top canvas’s alpha to 0.

    To this top canvas you add some mouseListeners to capture the movement of the users mouse as they drag it across the screen. In the set up, we clear the canvas’s graphics property. Then when the mouseDown event is captured we set the graphics properties moveTo method to so it knows where the mouse is. When the mouseMove event is captured we call the lineStyle method where we can set the colour and thickness of the line then we call the lineTo method which draws our line for us.

  35. #35 | Saç | September 8th, 2007 at 00:59

    Thanks for the transparency of this information. I posted a module 2 days ago and I didn’t realize how big was the problem. I think the user rating and the certification of modules would be a great idea for the future. Good work guys

    I thin you are right

  36. #36 | www.txrealestatemall.com | September 17th, 2007 at 01:52

    The swf can be viewed here.

    In this example I have hard coded the background photo for simplicity, although if you wanted to use flickr it has its own simple api for downloading photos. One of the applications of this that occurred to me would be to also integrate the Flex Data Service to have a collaborative whiteboard.

  37. #37 | Show | September 27th, 2007 at 20:09

    Be careful if you install the rating module. The user-rating of modules is a good idea, but i don’t see how it helps with cases like this.

  38. #38 | ankara evden eve nakliyat | October 3rd, 2007 at 15:21

    Be careful if you install the rating module. The user-rating of modules is a good idea, but i don’t see how it helps with cases like this.

  39. #39 | dreribetine | October 23rd, 2007 at 17:39

    A man is trying a very unusual way to propose to his girlfriend. He wants people to forward an email to as many people as possible and he hopes that it will eventually get to his girlfriend. Details here: http://www.proposal-to-mary.com

    Here is what he wants people to send by email:

    You could help me a lot to spread my proposal to Mary – it is important that it is distributed as widely as possible so that it eventually reaches Mary. If you would like to support my proposal to Mary, please send the following text by email to a lot of people :-)

    ————- SNIP (email text end) —————

    WHEN YOU RECEIVE THIS, PLEASE HELP TO DISTRIBUTE IT TO OTHER PEOPLE!

    For a long time I have tried to find a special way to propose marriage to my girlfriend Mary, whom I know for five years now. I wanted it very special, romantic and memorable, something our grandchildren would still remember.

    And here is my idea: I will send out the proposal to Mary to 50 complete strangers, people I don’t know – hoping, that they will forward my proposal to as many people as possible, which in turn forward it etc. And some day, I hope, it will reach Mary, after it has travelled a very long way. I know, it will take a long time and I am quite nervous…

    From the poem MY Mary will know immediately that the proposal is for her.

    I have created a homepage ( http://www.proposal-to-mary.com ) where you can find the current status of my quest. You can use the homepage to check if the proposal has already reached Mary (in that case it is not necessary anymore to forward the mail).

    Once the proposal has reached Mary, I will put a note on these pages. Also I will publish there how many people have read the proposal so that everybody can see how far it has spread and that it is getting closer to Mary.

    And of course you will find there what I am waiting for most: Mary’s answer! I can’t tell you, how nervous I am… Will she accept my proposal? Will she like the unusual way how she got it, through the hands of thousands of messengers all over the world?

    Please cross your fingers for me! And please – help me by sending the mail to as many people as possible, to help it spread, so that it eventually reaches Mary.

    And here is my proposal:

    Mary, please forgive me, as you know English is not my native language. And I am not a poet. But I mean it from my heart.

    My angel,

    Five years ago, I will always remember the day When fate made us meet, blissful Alaskan moments in May Earth spun around us and a journey began Love, warmth, happiness, enough the years to span.

    The longer it lasts the more grows our bond And with 80 still – of you I will be fond Whatever happens, I will stay at your side Through good and bad, together let us stride

    No second with you was ever wasted
    You are the sweetest I have ever tasted
    We have spent so many years – why not a life?
    Mary, will you marry me – and become my wife?

    Mary, if you have received that and have recognized me, then give me a sign so that I can continue with the romantic part of my proposal…

    ————- SNIP (email text end) —————

  40. #40 | sohbet | October 30th, 2007 at 16:06

    The UWA widgets are supported on the Iphone, but it’s a particular platform and for example there is some issues with iframes and Flash is not supported.

    UWA widgets are rendered through an iframe (like in Netvibes) but the ugly scrollbars that you can see on your regular browser will be nicely handled automatically by the Iphone browser.

    You can’t edit preferences yet (it’s read only).

  41. #41 | sohbet odalari | November 2nd, 2007 at 16:01

    The UWA widgets are supported on the Iphone, but it’s a particular platform and for example there is some issues with iframes and Flash is not supported.

    UWA widgets are rendered through an iframe (like in Netvibes) but the ugly scrollbars that you can see on your regular browser will be nicely handled automatically by the Iphone browser.

    You can’t edit preferences yet (it’s read only).

  42. #42 | sohbet odasi | November 2nd, 2007 at 18:48

    when I read an actual feed item – I want to be able to go back to ‘all tabs’ – so it’s simply adding a link to m.netvibes.com/tabs on all pages – both at the top and the bottom of each page

  43. #43 | baby | November 30th, 2007 at 08:24

    I think an interesting point can be raised here. Although it may have been unethical for the blog poster to have exposed the security issue to the public before contacting you guys – if he hadn’t done so, would you have been so quick to fix the problem? As you stated, you were only planning to release a fix in the next release. Human nature might have now forced you to release the fix early – of which we are all grateful.
    Just saying, this may be the reason why the blogger exposed the security problem before contacting you.

  44. #44 | mırc | December 10th, 2007 at 15:22

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  45. #45 | mirc | December 10th, 2007 at 15:22

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  46. #46 | evden eve nakliyat | December 10th, 2007 at 15:23

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  47. #47 | sex | December 10th, 2007 at 15:23

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  48. #48 | hikaye | December 10th, 2007 at 15:23

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  49. #49 | chat | December 10th, 2007 at 16:45

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  50. #50 | chat odası | December 10th, 2007 at 16:46

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  51. #51 | chat odaları | December 10th, 2007 at 16:46

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  52. #52 | sohbet odası | December 10th, 2007 at 16:46

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  53. #53 | sohbet odaları | December 10th, 2007 at 16:47

    excellent news. I have been using netvibes for about a month now, and haven’t looked back. This would make a great addition to my company’s

  54. #54 | ByUgur | February 11th, 2008 at 18:43

    Thanks for you sites..

  55. #55 | evden eve nakliyat | February 14th, 2008 at 21:20

    Effectivement, c’est très prometteur. J’aimerais bien tester si vous donnez quelques invitations, bravo encore ! :)

  56. #56 | evden eve nakliyat | February 14th, 2008 at 21:20

    Effectivement, c’est très prometteur. J’aimerais bien tester si vous donnez quelques invitations, bravo encore ! :)

  57. #57 | sohbet | February 14th, 2008 at 21:38

    Effectivement, c’est très prometteur. J’aimerais bien tester si vous donnez quelques invitations, bravo encore ! :)

  58. #58 | sohbet | February 14th, 2008 at 21:40

    Effectivement, c’est très prometteur. J’aimerais bien tester si vous donnez quelques invitations, bravo encore ! :)

  59. #59 | sohbet | February 14th, 2008 at 21:40

    Effectivement, c’est très prometteur. J’aimerais bien tester si vous donnez quelques invitations, bravo encore ! :)

  60. #60 | chat | February 14th, 2008 at 21:43

    Effectivement, c’est très prometteur. J’aimerais bien tester si vous donnez quelques invitations, bravo encore ! :)

  61. #61 | penis büyütücü | February 14th, 2008 at 21:45

    Effectivement, c’est très prometteur. J’aimerais bien tester si vous donnez quelques invitations, bravo encore ! :)

  62. #62 | sohbet | March 29th, 2008 at 22:37

    Heh Anais, hello . . . can you tell us please how to go back to coriander? Ginger is crap

  63. #63 | rapidshare arama | May 28th, 2008 at 01:32

    this is very nice site thank you for this!

  64. #64 | programlar | May 30th, 2008 at 17:08

    Hi,

    this is very nice site thank you for this!

  65. #65 | Youtube | July 3rd, 2008 at 10:44

    when I read an actual feed item – I want to be able to go back to ‘all tabs’ – so it’s simply adding a link to m.netvibes.com/tabs on all pages – both at the top and the bottom of each page

Business

Partner with us.

Developers

Build once, run everywhere.

Community

Get involved, get localized.

Press

News. Media kits. Press releases.