« previous next »
Pages: [1]

Author Topic: Would you like a security hole in your machine with that cup of javascript?  (Read 1938 times)

Offline W1nTry

  • Administrator
  • Akatsuki
  • *****
  • Posts: 11329
  • Country: tt
  • Chakra 109
  • Referrals: 3
    • View Profile
  • CPU: Intel Core i7 3770
  • GPU: Gigabyte GTX 1070
  • RAM: 2x8GB HyperX DDR3 2166MHz
  • Broadband: FLOW
  • Steam: W1nTry
  • XBL: W1nTry
Would you like a security hole in your machine with that cup of javascript?
« on: April 03, 2007, 09:25:40 AM »
Hmm..
Quote
Javascript flaw causes con-sternation

Code exploits common browser scripting behaviour

By INQUIRER newsdesk: Tuesday 03 April 2007, 09:28

CODE THAT CAN hijack any Javascript enabled web browser and turn it into a spybot platform has found its way onto the net, following a presentation by a security analyst at Shmoocon last month.

The code was developed by a researcher called Billy Hoffman, who works at Spy Dynamics, a security firm. He created the code as proof of concept, designed to illustrate how insecure Javascript is within all web browsers.

Jitko, as the software is called, was not designed to be malicious - Hoffman only put it online, briefly, for the purposes of the demonstration at the conference. But it seems that eagle-eyed con-goers spotted the URL on the overhead projector and snagged a copy for themselves.

Security experts, foremost among them Steve Gibson, have repeatedly called for action on what they say is the appalling security offered by Javascript within the browser. The code works cross-platform, on Apple and Windows versions of Internet Explorer, Firefox and Safari.

Jitko attaches itself to web forms, such as those designed to input address details or forum posts. By attaching non-standard characters to the post, it can fool the webserver into running Javascript code within the browser. The software hooks into both the webserver and the browser, meaning that it is spread by one infected individual using multiple web forms, as well as multiple individuals using one infected web form. By attaching itself to the browser, Jitko is able to wait until it finds a form susceptible to the vulnerability, then infects it without the user having a clue.

The only way to avoid the glitch, should it potentially become widely used, is to turn off Javascript within the browser by default, and enable it only for sites that you trust. Unfortunately, given the prevalence of scripting across 'Web 2.0', this could end up breaking a lot of sites.

Given the potential this has to explode, it could be just the kind of catalyst that browser companies and site developers need to start taking some action against the massive security holes that Javascript provides. Ironically, this flaw could be the best thing to ever happen to scripting. µ
Logged

Carigamers

Would you like a security hole in your machine with that cup of javascript?
« on: April 03, 2007, 09:25:40 AM »
Pages: [1]
« previous next »
 


* ShoutBox

Refresh History
  • Crimson609: yea everything cool how are you?
    August 10, 2022, 07:26:15 AM
  • Pain_Killer: Good day, what's going on with you guys? Is everything Ok?
    February 21, 2021, 05:30:10 PM
  • Crimson609: BOOM covid-19
    August 15, 2020, 01:07:30 PM
  • Shinsoo: bwda 2020 shoutboxing. omg we are in the future and in the past at the same time!
    March 03, 2020, 06:42:47 AM
  • TriniXjin: Watch Black Clover Everyone!
    February 01, 2020, 06:30:00 PM
  • Crimson609: lol
    February 01, 2020, 05:05:53 PM
  • Skitz: So fellas how we go include listing for all dem parts for pc on we profile but doh have any place for motherboard?
    January 24, 2020, 09:11:33 PM
  • Crimson609: :ph34r:
    January 20, 2019, 09:23:28 PM
  • Crimson609: Big up ya whole slef
    January 20, 2019, 09:23:17 PM
  • protomanex: Gyul like Link
    January 20, 2019, 09:23:14 PM
  • protomanex: Man like Kitana
    January 20, 2019, 09:22:39 PM
  • protomanex: Man like Chappy
    January 20, 2019, 09:21:53 PM
  • protomanex: Gyul Like Minato
    January 20, 2019, 09:21:48 PM
  • protomanex: Gyul like XJin
    January 20, 2019, 09:19:53 PM
  • protomanex: Shout out to man like Crimson
    January 20, 2019, 09:19:44 PM
  • Crimson609: shout out to gyal like Corbie Gonta
    January 20, 2019, 09:19:06 PM
  • cold_187: Why allur don't make a discord or something?
    December 03, 2018, 06:17:38 PM
  • Red Paradox: https://www.twitch.tv/flippay1985 everyday from 6:00pm
    May 29, 2018, 09:40:09 AM
  • Red Paradox: anyone play EA Sports UFC 3.. Looking for a challenge. PSN: Flippay1985 :)
    May 09, 2018, 11:00:52 PM
  • cold_187: @TriniXjin not really, I may have something they need (ssd/ram/mb etc.), hence why I also said "trade" ;)
    February 05, 2018, 10:22:14 AM
SimplePortal 2.3.3 © 2008-2010, SimplePortal