TechTarget

Hackers use Ajax to access to Yahoo e-mails

A worm targeting Yahoo e-mail users illustrates how the open source Ajax web development language can open the door to attackers, security experts have warned.

A worm targeting Yahoo e-mail users illustrates how the open source Ajax web development language can open the door to attackers, security experts have warned.

Ajax (Asynchronous JavaScript and XML) – is designed  to make web pages feel more responsive and increase interactivity. Its use is increasingly popular and last month, 30 companies participating in the OpenAjax Alliance agreed on a definition of Ajax in a bid to spread its use.

Billy Hoffman, lead R&D engineer at security firm SPI Dynamics, warned that the Yamanner worm that hit Yahoo mail users last week “propagates using nothing but JavaScript and Ajax”.

Hoffman, who has discussed the worm with the FBI, warns on an SPI blog that Ajax makes the Cross Site Scripting (XSS) language used by hackers more of a threat.

XSS is “a really big problem that most people don’t take seriously enough”, he says. “In the past XSS was mainly used for cookie theft, session hijacking, petty vandalism, or to just be annoying. But Ajax, with its ability to make HTTP connection from JavaScript without user intervention makes XSS much more dangerous.”

The combination of XSS and Ajax was first used in the public domain with the launch of the MySpace worm, also known as the Samy worm, in October 2005, Hoffman added.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close