What happens when your business model disables critical security protections for your users? Last week, software developer Vijith Assar wrote an editorial on The Verge discussing his research into the Genius web annotation platform and their questionable practices. Genius is a Brooklyn-based startup that allows users to create annotations on any webpage on the internet, effectively adding a comment section anywhere and everywhere. For an example of Genius annotations, check out the About Us page on Genius.com.
When Assar originally disclosed the security impact of disabling Content Security Policy, Genius noted that the risk of a cross-site scripting attack was minimal because their annotator does not store any personal information about its users between page loads. Assar went on to explain that while Genius was correct in their statement, users would still be vulnerable to arguably more serious security risks such as drive-by malware downloads and key loggers. Luckily, after Assar provided proof-of-concept examples to Genius, their developers made changes to re-enable the original Content Security Policy for proxied websites, with a few modifications to allow the Genius scripts to run.
I’m impressed that Genius has taken steps to increase their users’ security at the expense of containing them in their service’s ecosystem. Content Security Policy is an important mechanism for defending against cross-site scripting attacks. I would recommend all users choose web browsers that support the latest specifications and be mindful of services they use that might compromise that protection. — Marc Laliberte