Yahoo Mail Worm May Be First Of Many As Ajax Proliferates
Companies are quickly embracing Ajax and related techniques for Web applications. Expect more security problems like the Yamanner worm along the way.
The Yamanner worm that infested Yahoo Mail was quickly countered by making a change to the Internet servers that administer Yahoo's popular email program. Nevertheless, over a 36-hour period, the world got a glimpse of what's in store for it unless stricter measures are followed in building Web applications.
"This kind of worm shouldn't be a surprise to anyoneWe can expect to continue to see viruses" as long as Web sites and enterprises are implementing Ajax applications without understanding their vulnerabilities, said David Wagner, assistant professor of computer science at the University of California at Berkeley, in an email explanation of what happened.
Without careful, designed-in security, Web applications using Ajax will open many additional doors to malicious code writers. The worm in Yahoo Mail, dubbed Yamanner, was able to send a request from the user's computer to a Yahoo Mail server, seeking the names in the user's address book. It then composed a message to all those names and sent them out as a means of spreading itself, as recipients opened their messages.
Unlike previous worms, it did not travel in the form of an attachment or require the user to click on a link or icon. Merely opening a message from an infect source exposed the user, and within seconds, all the names in the user's address book.
In addition to ordering the user's computer to query the Yahoo mail server for the user's address book, generate a message and send them out to each name in the address book, Yamanner also captured the addresses and uploaded them to a still unidentified Web site.
By doing so, it was building an email list with many thousands of names that could be sold to spammers, note Web security experts.
Why would one of the world's largest email suppliers leave such an exposure in its Web service? Yahoo couldn't be reached for comment, but probably because, like other Ajax-based functions, it was useful to its email users.
"You don't have to be that clever. It's pretty easy," said McGraw.
Once discovered, such an opening is often shared with other hackers and several forms of attack materialize on the exposure at once. In Yahoo's case, the hole appears to have been filled before additional attackers could exploit it.
Future vulnerabilities are likely to be found in mash-ups, the combination of a known service based on Ajax, such as Google Maps, and some service added on top of them. Google Maps is widely used in online services, including apartment hunting sites.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.