Yahoo Mail Exposure Left Plenty Of Opportunity For JavaScript Worm - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
Commentary
6/14/2006
11:18 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Yahoo Mail Exposure Left Plenty Of Opportunity For JavaScript Worm

The Yahoo Mail worm exploited a JavaScript on-load function for HTML images, a function intended for Web applications to deliver a specific image-handling instruction to a browser. The on-load tag leaves space for 3 to 4 Kbytes of JavaScript to run in the browser. That's more than enough...

The Yahoo Mail worm exploited a JavaScript on-load function for HTML images, a function intended for Web applications to deliver a specific image-handling instruction to a browser. The on-load tag leaves space for 3 to 4 Kbytes of JavaScript to run in the browser. That's more than enough...Three to 4 Kbytes of JavaScript is more than enough instructions to cause mayhem on a user's computer, according to Billy Hoffman, lead R&D researcher on the worm for SPI Dynamics, a security software firm.

The Yahoo Mail worm raided the user's address book on the server, downloaded it to the browser, composed a message, and then sent it to the addressees, using the blind carbon copy field in the address header so that the recipients couldn't see how a set of acquaintances was targeted with the same message at the same time.

It also captured and uploaded the addresses to a remote Web site, where it's likely they were intended for resale to spammers. Hoffman and other security experts think this may be a harbinger of things to come as Ajax proliferates.

Hoffman dissected the JavaScript behind the Yahoo Mail Yamanner worm to see what it did. One thing that never got reported was that, as a parting shot, it directed the user's computer to click on a bunch of ads on a Google site, a boon to Google since it collects revenue based on those clicks. As if Yahoo didn't have enough reason to be annoyed with this worm writer. By design, there are hundreds of designated places where JavaScript may be inserted to perform certain functions on a Web page or in an e-mail message that's being read in a browser window, says Hoffman. That is, there are hundreds of places to include JavaScript, as set by World Wide Web Consortium published standards. Browsers are programmed to run JavaScript wherever they encounter it. They aren't programmed to ask, "Is this set of commands doing what I think it's supposed to do?"

Web application builders who want to employ Ajax or other forms of JavaScript are going to have to learn how to build in validation checks and restrictions that allow only the intended JavaScript functions to run, screening out imposters, says Hoffman.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll