A worm targeting Yahoo e-mail users illustrates how the
open source Ajax web development language can open the door to
attackers, security experts have warned.
Ajax (Asynchronous JavaScript and XML) – is designed to make
web pages feel more responsive and increase interactivity. Its use
is increasingly popular and last month, 30 companies participating
in the OpenAjax Alliance agreed on a definition of Ajax in a bid to
spread its use.
Billy Hoffman, lead R&D engineer at security firm SPI
Dynamics, warned that the Yamanner worm that hit Yahoo mail users
last week “propagates using nothing but JavaScript and Ajax”.
Hoffman, who has discussed the worm with the FBI, warns on an
SPI blog that Ajax makes the Cross Site Scripting (XSS) language
used by hackers more of a threat.
XSS is “a really big problem that most people don’t take
seriously enough”, he says. “In the past XSS was mainly used for
cookie theft, session hijacking, petty vandalism, or to just be
annoying. But Ajax, with its ability to make HTTP connection from
JavaScript without user intervention makes XSS much more
dangerous.”
The combination of XSS and Ajax was first used in the public
domain with the launch of the MySpace worm, also known as the Samy
worm, in October 2005, Hoffman added.