The Inquirer-Home

Javascript flaw causes con-sternation

Code exploits common browser scripting behaviour
Tue Apr 03 2007, 10:28
CODE THAT CAN hijack any Javascript enabled web browser and turn it into a spybot platform has found its way onto the net, following a presentation by a security analyst at Shmoocon last month.

The code was developed by a researcher called Billy Hoffman, who works at Spy Dynamics, a security firm. He created the code as proof of concept, designed to illustrate how insecure Javascript is within all web browsers.

Jitko, as the software is called, was not designed to be malicious - Hoffman only put it online, briefly, for the purposes of the demonstration at the conference. But it seems that eagle-eyed con-goers spotted the URL on the overhead projector and snagged a copy for themselves.

Security experts, foremost among them Steve Gibson, have repeatedly called for action on what they say is the appalling security offered by Javascript within the browser. The code works cross-platform, on Apple and Windows versions of Internet Explorer, Firefox and Safari.

Jitko attaches itself to web forms, such as those designed to input address details or forum posts. By attaching non-standard characters to the post, it can fool the webserver into running Javascript code within the browser. The software hooks into both the webserver and the browser, meaning that it is spread by one infected individual using multiple web forms, as well as multiple individuals using one infected web form. By attaching itself to the browser, Jitko is able to wait until it finds a form susceptible to the vulnerability, then infects it without the user having a clue.

The only way to avoid the glitch, should it potentially become widely used, is to turn off Javascript within the browser by default, and enable it only for sites that you trust. Unfortunately, given the prevalence of scripting across 'Web 2.0', this could end up breaking a lot of sites.

Given the potential this has to explode, it could be just the kind of catalyst that browser companies and site developers need to start taking some action against the massive security holes that Javascript provides. Ironically, this flaw could be the best thing to ever happen to scripting. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?