RealTime IT News

Experts: Javascript Not Just a Hotmail Problem

Web developers and users were warned Friday that security vulnerabilities in Web-based e-mail and other sites that allow user postings may be more widespread than previously thought.

According to security experts, most major Web mail services, message boards, guest books and auction postings are not completely screening for Javascript. As a result, the services enable users to embed code which is automatically executed when the page is displayed by others.

"My guess is that 98 percent of the Web sites that allow users to supply text have a bug somewhere, because it's so hard to catch all the locations," said Richard M. Smith, an independent security consultant in Cambridge, Mass.

The warnings follow reports Monday that it's possible to inject Javascript into email messages which, when opened by some users of Microsoft's (MSFT) Hotmail service, could perform malicious tasks. Microsoft officials insist Hotmail is not unique and that the attacks described by Bulgarian programmer Georgi Guninski could be implemented on any Web-based e-mail service.

What might have seemed a public relations brush off by Microsoft has proven to be disturbingly true. Martin Battaliou, a London-based programmer for a large telecommunications firm, said he has since uncovered vulnerabilities in almost all of the most popular Web mail services and has developed demonstration exploits that use embedded javascript to steal passwords, change user settings, and otherwise wreak havoc with others' accounts -- just by getting them to view a message to their Web-based e-mail account.

"The risks here are tremendous. If you want to choose a link and go to another URL you must log off your Web mail. If you click the link, you run the risk of infecting all your settings or having all your e-mail deleted," Battaliou said.

While most Web mail services attempt to strip javascript out of incoming messages, InternetNews.com has confirmed that Battaliou's demonstration messages work as described when viewed using Web mail offerings from at least two major providers.

Similarly, Smith claimed he's been able to inject javascript code into web pages created by some Web message board software, guest books, and online profiles. Also vulnerable, according to Smith, are auction listings at eBay -- despite reports of the vulnerability five months ago by a group called Because We Can, which dubbed the attack the eBayla Bug.

"There's going to have to be a lot of education for Web site developers about how to do the filtering. For users, a lot of this stuff is obscure and maybe nobody will care, but there is this very general problem," Smith said.

According to Battaliou, some Web mail services make writing Javascript attacks easy, because they allow users to view the source code of the pages that handle changing account options, vacation reminders, forwarding, and other services. He has notified providers about the security issues, but has received only a limited response.

"It seems as though either they are aware of the problem and are thinking about doing something about it, or they are waiting for something to happen. If it's the latter, I'm sure that as time draws on something is going to happen."