Comments on: A Yahoo Mail Ajax Worm?

By: Web 2.0

Web 2.0 — Sun, 18 Jun 2006 13:50:19 +0000

Vulnerability 2.0 : Worms in our web

As web 2.0 sites are growing up, common side effects of grown-up software are coming along. First sign was the worm that attacked MySpace.com last year. Only a week ago Yahoo! Mail was attacked by a javascript worm. Some argue…

By: strimble

strimble — Thu, 15 Jun 2006 01:22:16 +0000

I mentioned this the other day on my blog also. I actually received the malicious email. The subject line said ‘New Graphic Site’.

Anyone need an invitation to Gmail?

By: Per A. Noid

Per A. Noid — Wed, 14 Jun 2006 22:51:36 +0000

Any HTML page is subject to code insertion right? That’s not new to ajax. Server-side check and validate anything from the Web. We learned that with CGI in 1995.

Granted an efficiency of this attack was the fact that the address book could data be retrieved easily, lowering the bar over how inserted code could otherwise get addresses in a non-ajax Web based email program as well and spoof submissions to the web interface to the SMTP process. (It just would do it more slowly with lots more request response).

Seems that Yahoo!’s exposure was more related to the fact that it had an email service exposed over HTTP and thus enabled information to propagate to others via the email service in the domain and leave the domain via the web api to its SMTP processes. Since XHR disallows cross sub-domain data exchange, and even iframes disallow cross domain data access, the real hole here was the HTTP service that allowed mail to be sent, unverified — a server side implementation issue more than an inherent problem in XHR, JavaScript, or XML.

Isnâ€™t that a pretty narrow case? EG. If youâ€™re not making web based email services this kind of security loop hole would not pertain?

By: Berend de Boer

Berend de Boer — Wed, 14 Jun 2006 22:36:51 +0000

How do you actually clear user input 100%? Is there a definitive, and provably correct, overview of how to make sure all malicious input in an input field is cleared?

By: Scott Schiller

Scott Schiller — Wed, 14 Jun 2006 15:58:04 +0000

I was looking at the source of this on Monday morning, laughing and saying “This thing uses XHR, it’s an Ajax ‘worm’! Someone call up the Ajaxian.com guys, quick!” ;) We laughed and left it at that, but it’s nice to see it actually getting a mention. With all the interest and hype around it, it should be mentioned that it has its potential dangers as well. While not new (you could set an img .src attribute to request data from any server), the added ability to parse XHR responses makes it potentially more dangerous.

By: IT Eclectic » Blog Archive » Today’s Web 2.0 digest

IT Eclectic » Blog Archive » Today’s Web 2.0 digest — Wed, 14 Jun 2006 15:35:30 +0000

[...] An axe to grind with Ajax [Ajaxian] A Yahoo Mail Ajax Worm? [Ajaxian] Java and Ajax Webinar [Ajaxian] Google Ajax Search API [Ajaxian] [...]

By: Joe Grossberg

Joe Grossberg — Wed, 14 Jun 2006 14:44:51 +0000

Yahoo! Mail Worm

The Yahoo! worm I mentioned earlier uses Ajax to harvest those email addresses. Ajaxian has the (safely-viewable) source code. Interesting….