Commentary
Yahoo Mail Exposure Left Plenty Of Opportunity For JavaScript Worm
The Yahoo Mail worm exploited a JavaScript on-load function for HTML images, a function intended for Web applications to deliver a specific image-handling instruction to a browser. The on-load tag leaves space for 3 to 4 Kbytes of JavaScript to run in the browser. That's more than enough...The Yahoo Mail worm exploited a JavaScript on-load function for HTML images, a function intended for Web applications to deliver a specific image-handling instruction to a browser. The on-load tag leaves space for 3 to 4 Kbytes of JavaScript to run in the browser. That's more than enough...Three to 4 Kbytes of JavaScript is more than enough instructions to cause mayhem on a user's computer, according to Billy Hoffman, lead R&D researcher on the worm for SPI Dynamics, a security software firm.
The Yahoo Mail worm raided the user's address book on the server, downloaded it to the browser, composed a message, and then sent it to the addressees, using the blind carbon copy field in the address header so that the recipients couldn't see how a set of acquaintances was targeted with the same message at the same time.
More Internet Insights
White Papers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- Red Alert: Why Tablet Security Matters - by BlackBerry
Reports
- How Google+, Facebook Impact Corporate Strategy: Social Media and IT at a Crossroads
- IT Pro Impact: NFC and Mobile Commerce
Webcasts
- Maximize ROI with Database Consolidation onto Private Clouds
- Outsourcing Security: What Every Potential Cloud Security Customer Should Know
It also captured and uploaded the addresses to a remote Web site, where it's likely they were intended for resale to spammers. Hoffman and other security experts think this may be a harbinger of things to come as Ajax proliferates.
Hoffman dissected the JavaScript behind the Yahoo Mail Yamanner worm to see what it did. One thing that never got reported was that, as a parting shot, it directed the user's computer to click on a bunch of ads on a Google site, a boon to Google since it collects revenue based on those clicks. As if Yahoo didn't have enough reason to be annoyed with this worm writer. By design, there are hundreds of designated places where JavaScript may be inserted to perform certain functions on a Web page or in an e-mail message that's being read in a browser window, says Hoffman. That is, there are hundreds of places to include JavaScript, as set by World Wide Web Consortium published standards. Browsers are programmed to run JavaScript wherever they encounter it. They aren't programmed to ask, "Is this set of commands doing what I think it's supposed to do?"
Web application builders who want to employ Ajax or other forms of JavaScript are going to have to learn how to build in validation checks and restrictions that allow only the intended JavaScript functions to run, screening out imposters, says Hoffman.
Related Reading
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
|
T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting! |
Subscribe to RSSResource Links
This Week's Issue
Technology Whitepapers
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
Featured Resource
Download this whitepaper and find out how to easily manage web content by categorizing it into a discrete number of categories.
Learn More
