How many of us can differentiate an “iframe” from let's say a “div” tag? That’s a question I was asked recently and my estimate would be not that many. To the average user an “iframe” sounds more like a new product from Apple. Yet, if you visit user profiles on most any of the popular social networking sites they are filled with these tags and code.

One would argue that the selling point of Web 2.0 is user generated content and I am all for it. But the key question is, who generates this content and how is this content generated? The simple answer in a lot of cases is "copy and paste." Let me explain this in more detail.

With the rise of social networking sites, more and more users want to express their identity online. This runs from custom motorcycle wallpaper, to their favorite rap artist tunes, to animated cursors. But who writes all this code? Well, in most cases it’s not the user. The advent of social networking sites saw a sharp rise in ancillary third-party sites that did this hard work for the user. These sites are in no way affiliated with the social networking sites but they do feed off of them. A simple Google query yields scores of these third party profile-generating sites.

After a visit to one of these third party sites I had my profile “pimped” with an alien profile, a glittered picture of myself, and a couple of videos. The site gave me an option to copy the code and if I were getting too lazy it would copy and paste the code for me. All I had to do was give them my social networking site account information.

Does anyone see the problem here? With the sharp increase in browser-based threats, this has disaster written all over it. First and foremost, the code I was copying could be malicious. Although some social networking sites do a good job of sanitizing user-generated code, there could still be some small holes to exploit. For example, most social networking sites prevent posting of script code. Most have extremely strict rules for how videos should be posted and how they should interact with the browser and the system. “Iframes” are filtered as well to prevent redirects. However, you could point the code to download a malicious ANI cursor, JPEG, or GIF file and exploit innocent profile visitors (see “ANI to the Extreme” by Nicoloas Falliere).

With the level of sophistication we see in today's browser-based threats, the malicious code could be hidden within layers and layers of obfuscated script code and could fool even the savviest user who tries to inspect the code before copying. Secondly, giving away my account information to an untrusted third-party site spells trouble. How many of us use our bank passwords for social networking sites? The answer could be scary.

I am in no way saying all these sites are bad, but it just takes a few bad apples to do the damage. There is no evidence of these sites actually supplying malicious code; however, Symantec has observed a sharp increase in browser exploits hosted on third party profile-generating sites. So, even visiting these sites may pose a serious risk.

How do we solve this problem? In my opinion this is not an easy problem to solve and browser-based threats lurk around every corner of the Internet. Therefore, I would recommend keeping your antivirus and intrusion protection definitions up-to-date. Additionally, Symantec has built a number of excellent Web-browsing protections into our 2008 products. Web protection identifies signatures of known Internet Explorer browser vulnerabilities and blocks exploits as soon as they are released using these vulnerability signatures; they are extremely effective against browser-based threats. Symantec also has strong IPS and Bloodhound protection for the ANI file handling vulnerabilities.