Other exploits

By Lisa Vaas  |  Posted 2007-03-26 Print this article Print

A new tool called Jikto can turn any PC or device with a browser into a site attacker.

Symantec reported that encrypted JavaScript was redirecting visitors. Other recent JavaScript exploits include the Yamanner virus that struck Yahoo's Webmail system and the Samy worm attack that targeted users of MySpace, Hoffman pointed out.

"We've seen [worm attacks] before, but infecting desktop applications," he said.

The Web appeals to attackers because it's ubiquitous, thus making a much more efficient delivery vehicle, Hoffman said: It will carry an attack to Windows, Linux, Mac, cell phones, smart phones or anything that understands JavaScript.

"I could write a piece of malware to only infect Windows or Linux users, or write it in JavaScript and have it infect everybody."

"JavaScript is kind of limited in what it's supposed to do," Hoffman told eWEEK. "But in the last few years people have found all kinds of neat tricks you can do with JavaScript."

Hoffman had originally intended to publicly release Jikto at ShmooCon, but said he reversed himself at the behest of SPI Dynamics officials, due to the damage attackers could do with the tool.

"We tend to use this as an educational process, to show look, this is where we are now with how bad things can be," he said.

Education is certainly needed, Hoffman said, given that most developers he knows are two and a half to three years behind on security.

"I wanted to get everyone cooked up and say, 'Here's all the things we're seeing it do in the wild.'"

While some security professionals have noted the rising number of cross-site scripting attacks, only recently have those attacks become "really, really dangerous," Hoffman said.

Outside the security industry, the awareness of the dangers are low. "We need to start taking Web vulnerabilities seriously," he said.

The question is, who can patch a browser to be immune to an attack such as Hoffman demonstrated with Jikto? No one, Hoffman said, because "there isn't anything fundamentally wrong with IE or Firefox."

Nor is the problem with JavaScript. The problem is that JavaScript is simply capable of doing things that can be subverted, Hoffman said.

"Some of its capabilities allow it to be used this way," he said. "It's like I have this crowbar, which I can use to break into a car, but it's also good for a lot of [positive] things as well. JavaScript isn't evil or bad inherently. It's just you can do things with it people didn't intend for you to do."

As it is, big Internet players including Google, eBay, PayPal, Yahoo and the Mozilla Foundation have found themselves used as cross-site scripting platforms due to vulnerabilities.

Just as they have addressed it, so too must smaller companies, Hoffman said.

"Google and Yahoo and eBay and PayPal, they throw millions a year, if not tens of millions, at Web security, at designing applications securely from the start," he said. "And even they make mistakes. But the big guys take this seriously. Small to medium companies with Web presence … should take it seriously. If [the big guys are] making mistakes, and they're pretty smart, chances are you're making mistakes too."

The fact that SDI Dynamics refrained from releasing the code should be no comfort. If Hoffman knows about the ability to use JavaScript maliciously in this way, as he demonstrated with Jikto, others certainly do as well.

"I'm not that smart a guy," he said. "If I'm talking about it at a conference, you better believe somebody else has figured it out. Those people have not told people about it" because they're likely quietly exploiting JavaScript in this way, he said. "They're likely selling [such code as] exploits, using to find vulnerabilities, or all sorts of things."

Jikto is more a proof of concept code sampling than a tool per se, Hoffman said.

"It's fairly easy for someone to reproduce my work. It's proof of concept code, maybe 900 lines of code total. Most of that was comments to myself and spacing. It wasn't that sophisticated a concept." Maybe not, but it did serve to show that "everybody has to get rid of cross-site scripting vulnerabilities," Hoffman said. "People who think it's not a problem should look to Google's" susceptibility, he said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.