Yahoo Mail Worm May Be First Of Many As Ajax Proliferates
Companies are quickly embracing Ajax and related techniques for Web applications. Expect more security problems like the Yamanner worm along the way.
The Yamanner worm that infested Yahoo Mail was quickly countered by making a change to the Internet servers that administer Yahoo's popular email program. Nevertheless, over a 36-hour period, the world got a glimpse of what's in store for it unless stricter measures are followed in building Web applications.
"This kind of worm shouldn't be a surprise to anyoneWe can expect to continue to see viruses" as long as Web sites and enterprises are implementing Ajax applications without understanding their vulnerabilities, said David Wagner, assistant professor of computer science at the University of California at Berkeley, in an email explanation of what happened.
Without careful, designed-in security, Web applications using Ajax will open many additional doors to malicious code writers. The worm in Yahoo Mail, dubbed Yamanner, was able to send a request from the user's computer to a Yahoo Mail server, seeking the names in the user's address book. It then composed a message to all those names and sent them out as a means of spreading itself, as recipients opened their messages.
Unlike previous worms, it did not travel in the form of an attachment or require the user to click on a link or icon. Merely opening a message from an infect source exposed the user, and within seconds, all the names in the user's address book.
In addition to ordering the user's computer to query the Yahoo mail server for the user's address book, generate a message and send them out to each name in the address book, Yamanner also captured the addresses and uploaded them to a still unidentified Web site.
By doing so, it was building an email list with many thousands of names that could be sold to spammers, note Web security experts.
Why would one of the world's largest email suppliers leave such an exposure in its Web service? Yahoo couldn't be reached for comment, but probably because, like other Ajax-based functions, it was useful to its email users.
"You don't have to be that clever. It's pretty easy," said McGraw.
Once discovered, such an opening is often shared with other hackers and several forms of attack materialize on the exposure at once. In Yahoo's case, the hole appears to have been filled before additional attackers could exploit it.
Future vulnerabilities are likely to be found in mash-ups, the combination of a known service based on Ajax, such as Google Maps, and some service added on top of them. Google Maps is widely used in online services, including apartment hunting sites.
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.