First Jikto hits the web, and now this. JavaScript hijacking vulnerabilities in a number of popular web application frameworks, including ones from Google, Microsoft, and Yahoo, could be a threat until their libraries receive fixes.

Fortify Software posted an advisory about the JavaScript issue. Their description of the problem resembles what Jikto can accomplish. Here’s the Fortify summary:

The attack works by using a <script> tag to circumvent the Same Origin Policy enforced by Web browsers.

This is Hoffman’s discussion of Jikto, a JavaScript based web scanner that has the potential to silently install on a web browser and probe websites for cross-site scripting vulnerabilities:

As my Shmoocon presentation slides discuss, Jikto bypasses the "Same Origin Policy" by using a proxy website like the-cloak, proxydrop, Google Translate, etc.

Part of Hoffman’s source code for Jikto has been released on the Internet. Fortify took aim at several frameworks in their analysis of the possibility for a JavaScript threat to exploit them:

We analyzed 12 popular Ajax frameworks, including 4 server-integrated toolkits – Direct Web Remoting (DWR), Microsoft ASP.NET Ajax (a.k.a. Atlas), xajax and Google Web Toolkit (GWT) — and 8 purely client-side libraries — Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit. We determined that among them only DWR 2.0 implements mechanisms for preventing JavaScript Hijacking.

JavaScript transports data, making it possible that an unauthorized application could read the data going to a legitimate site. If that data includes confidential information, then a hijack can bring that data to another party.

The concept was demonstrated quite painfully to Google early in 2006. Jeremiah Grossman detailed a GMail flaw that could reveal someone’s GMail contact information. Google fixed that problem shortly thereafter.

Frameworks will be updated to resist JavaScript hijacking attempts. Ajax developers will want to verify their applications can resist potential break-ins and be aware of the ramifications of the problem:

The loophole in the Same Origin Policy is that it allows JavaScript from any website to be included and executed in the context of any other website. Even though a malicious site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport mechanism, they are often vulnerable while traditional Web applications are not.

For those who may be unaware, the issue occurred when a search of the term “Google AdSense” was performed. When the search results appeared, the first spot was taken by www.all-in-one-business.com/adsense/, which appeared to be using a meta redirect to re-navigate visitors to Google’s AdSense homepage.

Because the meta redirect was employed, many thought the site owner, Kevin Bidwell, was maliciously trying to hijack Google’s listing and reap the PageRank benefits from doing so. However, Kevin insisted this was not the case. In fact, he used his site to offer an explanation of what happened (oddly enough, the explanation is on the same page the redirect action was occurring). Kevin says:

Why this little page has become relatively famous

This week a search engine blogger or two noticed something strange-when they searched for “adsense” or “google adsense” on Google, this page came up first in the results. Google came up second. This anomaly was caused by my using a simple meta refresh redirect to point people from my site to Google’s adsense page.

Once one blog had picked it up, many others did as well, creating a small stir. Some people claimed I was a hero, finally demonstrating to all one of Google’s fatal flaws. Others called me a hijacker, stealing page rank and position.

The reality is much less impressive.

I write articles and they are often syndicated throughout the web. A couple years ago when GoTo changed it’s name to Overture I realized I had a problem-all the articles I had written about GoTo now had outdated links in them. From then on I began using meta redirects for most of the URLs in articles I write. That way if a link changes I just have to make a small change on my own site, rather than having to email a couple dozen webmasters.

In other words, the hijack was not intentional, and it exposed a flaw in Google’s method of dealing with redirects.

Danny Sullivan expanded on Google’s apparent difficulty with dealing with redirects on the SearchEngineWatch Blog. In his post, Danny feels Kevin’s explanation is reasonable and proceeds to place the blame directly on Google:

Say it again. It hit Google. Google got its own listing hijacked. I thought I’d seen huge irony in March when WordPress spammed Google after pledging right on the Google Blog to help fight spam or when Google banned one if its own pages for cloaking. But this takes the cake. Google’s redirect bug bites Google itself.

Currently, the Google AdSense homepage has regained the top organic listing for the search term in question. However, it’s not certain as to whether or not they’ve corrected the manner in which they deal with redirects.

Chris Richardson is a search engine writer and editor for WebProNews. Visit WebProNews for the latest search news.

I use FeedDemon version 1.5 (the latest version). If you’re familiar with FeedDemon, you’ll know that you have channel groups that contain individual channels (the RSS feeds) of blogs you select to receive the feeds.

This morning I noticed that one of my channel groups showed no updated feeds since yesterday morning. Yet the channel group concerned lists the feeds from blogs that are frequently updated, many times a day in many cases. A quick check of some of those blogs shows lots of updated posts, but none of the RSS feeds in Feed Demon shows those posts.

I posted a comment in the Feed Demon support forum about it. Then, I checked a little further into the properties of each of the channels – and discovered that the feed URL in every single channel in this group (28 channels) has been changed to something else, as this screenshot for one of those feeds shows.

Wow! I’ve not encountered anything like this before. Something has hijacked the RSS feed URLs for every single channel. So every time the channels in this group check for updates (that’s once per hour), it’s going to this hijacker URL. And what’s happening then, I wonder?

This may be coincidental, but the only thing I can think of that might be the cause for this is that I’ve been connected to ‘foreign’ networks for the past couple of days when I was in Paris for Les Blogs. So yesterday I was connected to the network at my hotel. Yet there was nothing that would indicate to me that anything untoward was going on.

I don’t believe for a minute that this is a Feed Demon issue, although if it’s a virus or trojan or something, maybe it might be of concern to Nick Bradbury, Feed Demon’s developer, that something like this could happen.

So I’m now running a deep scan of my PC with Norton AntiVirus as well as checking for spyware with Microsoft AntiSpyware to see if that turns up anything.

Has anyone else experienced anything like this?

Neville Hobson is the author of the popular NevilleHobson.com blog which focuses on business communication and technology.

Neville is currentlly the VP of New Marketing at Crayon. Visit Neville Hobson’s blog: NevilleHobson.com.

“It was a big nothing, a non-incident,” said Port Authority police spokesman Tony Ciavolella.

Authorities interviewed the pilots of the flights and concluded that neither flight experienced any problems.

A statement released by Delta said:

Delta Air Lines’ (NYSE: DAL) Flights 119 and 81 arrived without incident at John F. Kennedy International Airport at approximately 1:30 p.m. EST. However, both aircraft were momentarily held back from the gate on instructions from the Transportation Security Administration (TSA).

Both aircraft were cleared by the TSA and are now at their gates and passengers have been deplaned normally. The aircraft have resumed scheduled service. There will be no further statements from Delta concerning these flights.

WebProNews | Breaking eBusiness News
Your source for investigative ebusiness reporting and breaking news.