Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Yahoo Mail Worm May Be First Of Many As Ajax Proliferates

The Yamanner worm that infested Yahoo Mail last week was quickly squashed. In the 24-hour period it thrived, though, the worm provided a glimpse of what's in store for Internet users unless companies apply strict measures when building Web applications with techniques such as Ajax.

The worm exploited a weakness related to JavaScript, which is a key component of Ajax, a set of technologies being used more frequently for interactive Web applications. That's what made last week's worm worrisome. Ajax can be used securely, but without careful, designed-in security, Web apps using it open additional doors to writers of malicious code.

"This kind of worm shouldn't be a surprise to anyone," says David Wagner, assistant professor of computer science at the University of California at Berkeley. We'll see more such worms and viruses as long as Web sites and companies implement Ajax applications without understanding their vulnerabilities, he predicts.

The Yamanner worm exploited JavaScript for uploading an image from a user's Yahoo Mail message, substituting its own JavaScript commands. That let the worm send a request from a person's computer to a Yahoo Mail server for names in the user's address book. It then sent a message to each name as a means of spreading itself. Most troubling, merely opening the message exposed the user; it didn't require the recipient to open an attachment or click on a link or icon. It also uploaded names to an unidentified Web site. "The problem isn't that Yahoo is incompetent. The problem is that filtering JavaScript to make it safe is very, very hard," Wagner says. Yahoo declined to discuss the attack beyond saying it had resolved the problem.

Future vulnerabilities are likely to be found in mash-ups, the combination of a known service based on Ajax and some service added on top. "JavaScript was dangerous before Ajax came around," says Billy Hoffman, lead R&D researcher at SPI Dynamics, a provider of Web application security and testing technology. With the addition of Ajax functionality in many other Web applications, the problem is going to get worse before it gets better, Hoffman predicts.

  • 1