Tuesday, August 8th, 2006

Ajax Hacking for Fun and Profit?

Category: Articles, Security

Apparently, not all is well in the world of Ajax (who knew?) according to this news story on the USA Today website. In it, they talk about the malicious nature of some Ajax function they’re seeing, and how it’s on the rise.

Recent high-profile attacks include June’s Yamanner computer worm, designed to harvest e-mail addresses from Yahoo mail users and send them to spammers in Europe; and Spaceflash, which installed adware (advertisements and tracking programs implanted surreptitiously) on the hard drives of more than a million MySpace users.

And, of course, an “evil Ajax” article wouldn’t be complete without a mention of everyone’s favorite worm, Samy. They talk about the potential hazards of going to other sites, like MySpace, where they allow any and all users access to change the page’s infromation. And, as they say, this is only the beginning – as Ajax spreads more and more, issues will keep coming up more and more frequently.

Posted by Chris Cornutt at 8:33 am
6 Comments

+++--
3.1 rating from 29 votes

6 Comments »

Comments feed TrackBack URI

Holy FUD.

“By corrupting one of the dozens of data exchanges Ajax handles while loading a Web page, a hacker can take over control of the PC.”

Gee, that sounds like a browser bug to me. Not to mention a complete misunderstanding of the technology (“dozens of data exchanges” while simply loading?).

Once again, this fails to show me a single door opened to attackers by using Ajax calls that they didn’t already have with non-Ajax driven sites. Please try to keep the posts limited to articles actually thought out by the author instead of chicken little panic attacks by idiotic writers trying to generate a burst of page hits.

Comment by The Hater — August 8, 2006

The Hater is right. This isn’t AJAX. Don’t hate the player, hate the game.

Comment by Ken Fehling — August 8, 2006

I thought MySpace didn’t allow javascript?

Comment by Josh — August 8, 2006

They don’t. However, their method of finding/purging the script tags wasn’t very robust and was circumvented (I believe it had to do with line breaks or some other whitespace trick).

Comment by Ben — August 8, 2006

So was there any validity to that story? We had someone basically point that article out as a reason why ASP.NET was superior to AJAX techniques, and thereby insinuating we are idiots for suggesting the use of AJAX in the first place. We just don’t buy into that. :)

Comment by Brandon — August 9, 2006

Brandon: wha? ASP.NET and ajax are like apples and oranges. I’m sure there are ppl doing ajax with ASP.NET, just like any other server side framework. Your critic was clueless.

Comment by Rob Sanheim — August 9, 2006

Leave a comment

You must be logged in to post a comment.