The InformationWeek -- Blogs
Google

Topics:   Google : Google : Security

  • Email this page E-mail this page
  • Print this page Print this page
  • Bookmark and Share
  • icon

Yahoo Mail Exposure Left Plenty Of Opportunity For JavaScript Worm


Posted by Charles Babcock, Jun 14, 2006 11:18 PM

The Yahoo Mail worm exploited a JavaScript on-load function for HTML images, a function intended for Web applications to deliver a specific image-handling instruction to a browser. The on-load tag leaves space for 3 to 4 Kbytes of JavaScript to run in the browser. That's more than enough...

Three to 4 Kbytes of JavaScript is more than enough instructions to cause mayhem on a user's computer, according to Billy Hoffman, lead R&D researcher on the worm for SPI Dynamics, a security software firm.

The Yahoo Mail worm raided the user's address book on the server, downloaded it to the browser, composed a message, and then sent it to the addressees, using the blind carbon copy field in the address header so that the recipients couldn't see how a set of acquaintances was targeted with the same message at the same time.

It also captured and uploaded the addresses to a remote Web site, where it's likely they were intended for resale to spammers. Hoffman and other security experts think this may be a harbinger of things to come as Ajax proliferates.

Hoffman dissected the JavaScript behind the Yahoo Mail Yamanner worm to see what it did. One thing that never got reported was that, as a parting shot, it directed the user's computer to click on a bunch of ads on a Google site, a boon to Google since it collects revenue based on those clicks. As if Yahoo didn't have enough reason to be annoyed with this worm writer.

By design, there are hundreds of designated places where JavaScript may be inserted to perform certain functions on a Web page or in an e-mail message that's being read in a browser window, says Hoffman. That is, there are hundreds of places to include JavaScript, as set by World Wide Web Consortium published standards. Browsers are programmed to run JavaScript wherever they encounter it. They aren't programmed to ask, "Is this set of commands doing what I think it's supposed to do?"

Web application builders who want to employ Ajax or other forms of JavaScript are going to have to learn how to build in validation checks and restrictions that allow only the intended JavaScript functions to run, screening out imposters, says Hoffman.

« Daily News Podcast For Thursday, June 15 | Main | Desperately Seeking Neutrality »



Sign Up Now
For InformationWeek News Alerts




This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.


 
Sign Up For The Grok on Google Newsletter
Every Thursday, Tom Claburn and his fellow analysts offer all the news, insight, analysis, and strategic thinking you need to understand the company and complex phenomenon known as Google.

Sign up for our free, weekly newsletter today!

Newsletter Archives


  :: THE LATEST GOOGLE NEWS ::



 

  1. Visual Studio 2010 Multi-Monitor Support Helps Debugging Parallel Code
  2. Sequential Programming: Like Eating Peas with a Straw.
  3. Biomolecular device using self-assembled DNA nanostructures?
Join The InformationWeek Group On LinkedIn


                           


  1. More Reasons Why Linux Misses The Desktop
  2. Too Much Netbook For Too Litl?
  3. Motorola Explains Why Droid Doesn't Have Multi-Touch
  4. Sprint And T-Mobile Headed The Wrong Direction

  1. Apple Releases Snow Leopard Security Patch
  2. 9 In 10 Web Apps Have Serious Flaws
  3. Agency For International Development Outsources To CSC
  4. Health IT Career Tips
  5. RIM, Adobe Team For BlackBerry Development
  6. Hadoop Crunches Web-Sized Data

 
  Ars Technica
Boing Boing
Channel 9 Forums
CRN Blogs
Dr.Dobb's Portal: Blogs
Engadget
Gizmodo
GrokLaw 		  Lifehacker
Schneier on Security
Slashdot
TechCrunch
Techdirt
Techmeme
Valleywag
  DECEMBER 2008
NOVEMBER 2008
OCTOBER 2008
SEPTEMBER 2008
AUGUST 2008
JULY 2008
JUNE 2008
MAY 2008 		  APRIL 2008
MARCH 2008
FEBRUARY 2008
JANUARY 2008
DECEMBER 2007
NOVEMBER 2007
OCTOBER 2007
SEPTEMBER 2007