[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: javascript Security... the official word

On Fri, 1 Mar 1996 11:16:06 -0800, you wrote:

>"THE WORLD WIDE WEB SECURITY FAQ (Version 1.2.0, February 28 1996)"
>by Lincoln D. Stein <lstein@genome.wi.mit.edu>
>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>   You should be extremely concerned about JavaScript, an integral part
>   of Netscape Navigator 2.0. It allows many types of private information
>   to be included in data submitted to remote sites by fill-out forms,
>   without the consent, or even the knowledge of the user. For example, a
>   recently published script showed how a JavaScript page could grab a
>   user's e-mail address from Netscape's preferences dialog and send it
>  user's e-mail address from Netscape's preferences dialog and send it
>   across the Internet.

I do not understand where being able to grab a user/visitor's email address is a
breach of privacy or a worry.   Actually I find it pretty darn useful... If
someone visits a site they DO leave a bunch of logs all over the place and they
could evenrutally be traced to a singular individual without that much work..

I know from reviewing my site logs that only the users domain info is stored...
I must say though that should Javascript prove to be able to do these items:

1) grab to the users complete info (username on their local system as well as
domain info)

2)grab the previous page they are coming from (aka referring page)

I would quickly add code to my page to use such features, since these items
allow me to :

1) keep track of who is actually visiting my pages
2) contact visitors later,  if needed or to notify them of updates...
3) keep track of referring pages so that I can contact the admins there to
notify/thank them for the posting....

>   This is just the beginning. Others have figured out how to exploit
>   JavaScript to make much more intrusive invasions of the user's
>   privacy. The scripts at:
>     * http://www.c2.org/~aelana/javascript.html and
>     * http://www.osf.org/~loverso/javascript/track-me.html
>   demonstrate how to take the following obnoxious actions:
>    1. Read the user's URL history list and transmit it to a remote site.
>    2. Read the user's disk cache (containing URLs of all frequently
>       visited sites) and transmit it to a remote site.
>    3. Invisibly monitor all the sites a user visits and transmit them
>       one by one to a remote site (the monitoring persists until the
>       user completely exits from Netscape)
>    4. Obtain a recursive directory listing of the user's local hard disk
>       and any network disks that happen to be mounted.

Now as for all of these things.... These need stopped as they definitely go far
beyond invasion of one's privacy...


What happens when corporations turn to the government as
their professional bounty hunters.  Conspiracy read all about
AT&T's conspiracy to hide their own wrongdoing.


For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/