The InformationWeek -- Blogs

Google

Topics:   Google : Google : Security

  • Email this page E-mail this page
  • Print this page Print this page
  • Bookmark and Share
  • icon

Yahoo Mail Exposure Left Plenty Of Opportunity For JavaScript Worm


Posted by Charles Babcock, Jun 14, 2006 11:18 PM

The Yahoo Mail worm exploited a JavaScript on-load function for HTML images, a function intended for Web applications to deliver a specific image-handling instruction to a browser. The on-load tag leaves space for 3 to 4 Kbytes of JavaScript to run in the browser. That's more than enough...

Three to 4 Kbytes of JavaScript is more than enough instructions to cause mayhem on a user's computer, according to Billy Hoffman, lead R&D researcher on the worm for SPI Dynamics, a security software firm.

The Yahoo Mail worm raided the user's address book on the server, downloaded it to the browser, composed a message, and then sent it to the addressees, using the blind carbon copy field in the address header so that the recipients couldn't see how a set of acquaintances was targeted with the same message at the same time.

It also captured and uploaded the addresses to a remote Web site, where it's likely they were intended for resale to spammers. Hoffman and other security experts think this may be a harbinger of things to come as Ajax proliferates.

Hoffman dissected the JavaScript behind the Yahoo Mail Yamanner worm to see what it did. One thing that never got reported was that, as a parting shot, it directed the user's computer to click on a bunch of ads on a Google site, a boon to Google since it collects revenue based on those clicks. As if Yahoo didn't have enough reason to be annoyed with this worm writer.

By design, there are hundreds of designated places where JavaScript may be inserted to perform certain functions on a Web page or in an e-mail message that's being read in a browser window, says Hoffman. That is, there are hundreds of places to include JavaScript, as set by World Wide Web Consortium published standards. Browsers are programmed to run JavaScript wherever they encounter it. They aren't programmed to ask, "Is this set of commands doing what I think it's supposed to do?"

Web application builders who want to employ Ajax or other forms of JavaScript are going to have to learn how to build in validation checks and restrictions that allow only the intended JavaScript functions to run, screening out imposters, says Hoffman.

« Daily News Podcast For Thursday, June 15 | Main | Desperately Seeking Neutrality »



Sign Up Now
For InformationWeek News Alerts




This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.


 
Sign Up For The Grok on Google Newsletter
Every Thursday, Tom Claburn and his fellow analysts offer all the news, insight, analysis, and strategic thinking you need to understand the company and complex phenomenon known as Google.

Sign up for our free, weekly newsletter today!

Newsletter Archives


  :: THE LATEST GOOGLE NEWS ::



 

  1. Detecting Scalability Problems With Intel Parallel Universe Portal
  2. Just Say No To SFAQL Parallelism
  3. QuickThread: A New C++ Multicore Library
Join The InformationWeek Group On LinkedIn


                           


  1. AT&T, T-Mobile, Verizon All Offering Black Friday Sales
  2. Best Buy Rolls Out $99 Android Sale
  3. Apple Says Users To Blame For iPhone Virus
  4. iPhone And Android Dominate Mobile Web Browsing

  1. Apple Accepts PhoneGap For iPhone Development
  2. Apple Seeks Permanent Halt To Psystar Mac Clones
  3. NIST Director Sees Key Role In Emerging Technologies
  4. Sprint Gets Nod To Buy iPCS
  5. FCC Chair Wants More Broadband
  6. Gartner: Data Center Problems Ahead

 
  Ars Technica
Boing Boing
Channel 9 Forums
CRN Blogs
Dr.Dobb's Portal: Blogs
Engadget
Gizmodo
GrokLaw 		  Lifehacker
Schneier on Security
Slashdot
TechCrunch
Techdirt
Techmeme
Valleywag
  DECEMBER 2008
NOVEMBER 2008
OCTOBER 2008
SEPTEMBER 2008
AUGUST 2008
JULY 2008
JUNE 2008
MAY 2008 		  APRIL 2008
MARCH 2008
FEBRUARY 2008
JANUARY 2008
DECEMBER 2007
NOVEMBER 2007
OCTOBER 2007
SEPTEMBER 2007