Mashup sites: imaginative, but potentially a risk

Data used for mashups could come from spoof sites, says security expert

Mashups — the new web genre —maybe popular, but there is insufficient control regarding both information accuracy and security, attendees at a recent Canadian conference heard. The result could be that mashups ride roughshod over the rights of the original information owners.

Here in New Zealand, mashups were praised at the recent Webstock conference for being imaginative. Conference speaker and well-known blogger and commentator Russell Brown, however, did sound a general cautionary note regarding blogging and the cutting loose of news from professional journalistic codes and standards.

But it is mashup artists that perhaps present a greater danger, according to delegates to the Computer-Human Interaction conference, held in Montreal, Canada, in April.

Hart Rossman, chief security technologist for Virginian-based Science Applications International, is most concerned. Rossman is also an adviser to the US Department of Defence.

The essence of a mashup is the combining of data from two or more external information sources; to make something new out of the two. Often information sourced as hard-to-read tables is brought to life by being superimposed on a map — something which has become much easier since web-oriented map suppliers, such as Google and Microsoft, have developed application program interfaces to allow their maps to be used more conveniently, and even to present information in real time.

The mashup developer does not own the data being mashed, Rossman points out. At the same time the owner neither knows nor cares that his or her data is being used.

“How do you know the data is real?” Rossman asks. Without an exchange of encrypted ID certificates between source and mashup, the data could be come from a spoof site.

For example, an outwardly public-spirited site that claims to show crime figures in certain areas could be hacked by criminals or those interested in selling property in a certain area to give a false impression. Even some accurate mashups risk creating trouble, says Tom Ovad, from the website He has experimented with collating wishlists of Amazon customers to identify those with particular, possibly suspect, reading habits.

Amazon keeps details of customers’ delivery addresses secret, but Ovad spoke about a technique for “fishing” common first names, which makes it possible to attach wishlists to individuals. Such a list might be useful to anyone who wanted to unearth potential terrorists — for example, the US or UK governments — he says.

Brown says Rossman makes good points. He notes that Ashley Highfield, new media director of the BBC, had complained about sites using BBC material out of context, when visiting New Zealand last year.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackingmashupsspoof site

More about Amazon Web ServicesBBC Worldwide AustralasiaDepartment of DefenceGoogleMicrosoftScience Applications International

Show Comments