Avoiding security threats when sending messages from OutSystems Applications
Protecting your users against phishing and malware
When developing applications we must be security aware and avoid the risk of creating security issues. Especially when sending messages to our users. In this article I’ll explain the common threats and a recommendation on how to avoid them.
Pay attention that these are just a few of the security measures that an organization must take to protect itself against hackers. Consult with your Information Security Officer which other measures apply to your organization.
Threats in messages
Phishing
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. Source Wikipedia: https://en.wikipedia.org/wiki/Phishing
Phishing prevention
To prevent phishing you can disallow the use of hyperlinks in your messages and inform your users that you never send emails containing hyperlinks and that they should never click on links in messages.
How to: Instead of a link, give the recipient instructions how to go to your site, or redirect them to a specific page. In user on-boarding or password reset-flows you can use a verification code which is valid for a limited time to verify the user. Although using an identity provider with two factor authentication has the preference, this is a good alternative when it’s not available.
Example Reset password process flow.
- The user clicks on the forgot password link in the login page,
- On the forgot password page the user enters his email and submits the input,
- If a user with the provided email exists a reset token is generated, the token is send to the user, and the user is redirected to the ResetPassword page,
- On the ResetPassword page the user has to provide his email, the token and the new password,
- If the Email and Token combination is correct the new password is saved and the user is redirected to the login page.
Malicious attachments
Emails often include dangerous attachments that install keyloggers, ransomware, and other malware when opened by the victim. If your messages contain attachments then your users are vulnerable to malware attacks. Recently, various government organizations have been closed temporarily and had severe data losses due to ransomware infections.
Malware prevention
If we do not put attachments in our messages we can instruct our users not to open attachments in messages from us. As an alternative we can choose not to create the attachment at al. E.g. put a order confirmation in the body of the message. Otherwise you should provide the attachments as downloads in your application, typically by creating a personal page with available downloads.
Share your security policy
Notify your users that you will never use a hyperlink or an attachment in your communications and that they should never open a hyperlink or an attachment. Also instruct them to always navigate to your site by entering the address manually instead of using a bookmark or a link.
Follow the OutSystems Security Best Practices
In addition to the actions described above you should follow the OutSystems Platform Best Practices on security:
- Set the Web Screen’s Roles
- Be aware of sensitive data exchange
- DON’T send sensitive information in screen parameters
- Remember: Web Screen’s variables or Preparation outputs might be exposed in the URL or Viewstate
- When applicable, use SSL for sensitive information
- DO NOT rely on the Web Screen widgets interface to control permissions
- Validate user’s Roles before executing Screen Actions
- Use encrypted passwords in the database
- Use Internal Access Only for Web Flows and Web Services
Take the Master Class on Security for an in depth explanation of these practices.
