Last year, while searching through the posting history of a specific Yahoo Finance message board user, I discovered something rather curious: a very small number of this user’s thousands of message summaries were italicized or underlined, in contrast with all the rest, which showed no special formatting.

Little old me managed to stumble upon a major Yahoo! security vulnerability.

When I clicked the formatted messages’ titles to read the complete posting, I discovered the reason behind the inconsistent formatting: this particular poster had a habit of using the ‘<’ symbol when quoting the content of previous messages (a variation on the more typical ‘>’ convention). On those occasions when the quoted content began with the single letter ‘I’, the summarized search result for that post – though not the full post itself – appeared italicized. When the quoted content began with the single letter ‘u’, the summarized search result for that post appeared underlined.

I soon realized that solely on message board search results pages, Yahoo was allowing my browser to interpret ‘<I’ as the html tag ‘<i>’, which instructs a browser to show what follows as italics, and ‘<u’ as ‘<u>’, which causes what follows to be underlined.

A bit of experimentation revealed that, after accounting for a few quirks, any html code, up to and including i-frames and JavaScript, could be embedded on Yahoo message board search results pages. With that, I realized that I had discovered a big, fat, honest-to-goodness, cross-site scripting security hole (which was only recently fixed, as you can read here).

This is odd for two reasons.

First, while I may be naturally inclined toward geekdom, I’m hardly an expert on internet security, much less a trained network cracker. Nor was I actually looking for a security hole at the time I discovered Yahoo’s.

Second, having worked for a major internet retailer, I’m sufficiently familiar with the rigor of security testing to know that this sort of thing is only supposed to happen to small sites lacking the resources to conduct extensive quality assurance, not to Yahoo, a multi-billion-dollar company.

Taken together, what this tells me is that the web is probably a much more dangerous place than I had imagined.

I also suspect it’s getting more and more dangerous, instead of less, thanks to Web 2.0.

In the old days, websites were static things created by an entity intent on handing out information to the users. Web 2.0 upended that paradigm by making the users themselves the source of the information. As great as that may seem, from a security standpoint asking users to add content to your site is a bit like inviting a group of strangers into your home, with all your valuables stored under the bed in the next room.

Even the open source MediaWiki software has more than its fair share of security vulnerabilities

Initially, this inherent vulnerability was held up as a strong argument in favor of open source software, the theory being that large communities of developers are more likely to spot security flaws. That may be true, but open source is by no means a panacea. Indeed, according to the Department of Homeland Security’s National Vulnerability Database, there have been 37 security holes identified in Mediawiki — the software used to power Wikipedia — including 26 cross-site scripting holes.

The most recent of these was identified just a few months ago, by the way.

That Web 2.0 had security issues at inception is not terribly surprising. After all, the deployment of new technologies is almost always dictated by market demand, not by the extent to which the technology is considered mature. Consequently, the early adoption period is usually marked by the hurried development of countermeasures.

That Web 2.0 security continues to be a  problem, some five years into its existence, does surprise me. Maybe more to the point, it suggests to me that security flaws may simply be endemic to this iteration of the internet’s evolution.