Today | RSS | RDF | Atom | Other
 
Advanced Search
Eric's weblog
Weird Thoughts From Eric's Head

Tags - Categories : All | AJAX | BUSINESS | PERSONAL | PROGRAMMING | BOOK REVIEW
June 2006
SunMonTueWedThuFriSat
     1  2  3 
 4  5  6  7  8  9  10 
 11  12  13  14  15  16  17 
 18  19  20  21  22  23  24 
 25  26  27  28  29  30  
May  |  Today  |  Jul

Recent Blog Entries
Multi-Dimensional Sorting with JavaScript

Co-Author of Ajax In Action Ajax In Action

Recent Responses
Re: Make innerText compatiable
A better way to do this now is: if(document.all){ document.getElementB...

Re: The responseXML is null or has an error.
Another problem that can screw up your XML response when it is generated by PHP code is when you make a call to a PHP function that reports a warning such as the mail function does when there is a problem with the mail set up. You can suppress these wa...

Other Blogs
Dave Crane
Val's Blog
Dirk's Blog
Nate's weblog
Ajith Kallambella
Lasse's weblog
Gregg's Weblog
Hershey's Blog
My Cave Online
Bounces amongst neurons
Six Sides To A Box
Jia Yo!
Moose in Headlights
Unresolved References
This That and The Other...
Just My Thoughts
Balaji's blog
Java Ranch Book Reviews
Corey's SCJP Tipline, etc.
JavaRanch News
Eric's weblog
Barry's weblog
Mike Curwen's Blog
David's blog
In through the out door
Frank Carver's weblog
Peabody's
Uncontrolled Vocabularies
The Bear Den
I've Been Wondering...
Simon Brown
<< pacsnet talk in philly | Home | "Instance Callback" with JSON? >>
Permalink
[AJAX] [PROGRAMMING] Will Ajax get another bad rap? Yahoo worm

Will Ajax get another bad rap? Yahoo worm

Just like the Sammy worm attacked MySpace last October another JavaScript flaw in Yahoo email is using the good ole XHR object to grab a users address book and use another technique to send the list of emails to another remote server. Want to see the code look here and you will see the famous lines that look for 4 and 200 with the XHR object!

Now this is why I stress in every single one of my talks about making sure your code does not allow JavaScript injection if you are displaying user input! I even have had interviews (one example) where I stress that you need to do checks. If something this big can affect a company like yahoo, imagine what it can do to your site.



Eric Pascarello
Coauthor of Ajax In Action
Moderator of HTML/JavaScript at www.JavaRanch.com
Author of: JavaScript: Your Visual Blueprint for building Dynamic Web Pages

TrackBacks[0] Comments[3] Posted by pascarello on June 13, 2006 9:50:32 AM EST

Reply | Permalink Re: Will Ajax get another bad rap? Yahoo worm
I actually received one of those emails. In my Gmail account though. So, it didn't affect me. It's interesting how a little bit of Javascript can be used in such a bad way. I can't stand spam. But if it helps a company fix their errors, maybe it'll turn out to be a good thing for that company.
Comment from strimble on June 14, 2006 8:14:28 PM EST
Reply | Permalink Re: Will Ajax get another bad rap? Yahoo worm
It's not interesting how Javascript can be used in such a way, it's interesting to see that we're a decade into serious web development and still people think client-side checks provide any kind of trust and not just usability
Comment from Robert John Kaper on July 8, 2006 4:28:57 PM EST
Reply | Permalink Re: Will Ajax get another bad rap? Yahoo worm
Kaper, The reason this flaw happened was because of a flaw in the serverside protection. Think you need to focus on that fact. Eric
Comment from Eric Pascarello on July 8, 2006 7:18:14 PM EST


Add a comment

Title
Body
HTML : b, i, blockquote, br, p, pre, a href="", ul, ol, li
Math Quiz 8 + 7 = (Helps stop blog spam)
Name
E-mail address
Website
Remember me Yes  No 

E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

TrackBack to http://radio.javaranch.com/pascarello/addTrackBack.action?entry=1150210232222

Powered by Pebble 1.9.1 [ Login ] Content © Eric Pascarello