[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

javascript Security... the official word

oooh! creepy!  here's the official word:

"THE WORLD WIDE WEB SECURITY FAQ (Version 1.2.0, February 28 1996)"
by Lincoln D. Stein <lstein@genome.wi.mit.edu>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

   You should be extremely concerned about JavaScript, an integral part
   of Netscape Navigator 2.0. It allows many types of private information
   to be included in data submitted to remote sites by fill-out forms,
   without the consent, or even the knowledge of the user. For example, a
   recently published script showed how a JavaScript page could grab a
   user's e-mail address from Netscape's preferences dialog and send it
  user's e-mail address from Netscape's preferences dialog and send it
   across the Internet.

   This is just the beginning. Others have figured out how to exploit
   JavaScript to make much more intrusive invasions of the user's
   privacy. The scripts at:
     * http://www.c2.org/~aelana/javascript.html and
     * http://www.osf.org/~loverso/javascript/track-me.html

   demonstrate how to take the following obnoxious actions:
    1. Read the user's URL history list and transmit it to a remote site.
    2. Read the user's disk cache (containing URLs of all frequently
       visited sites) and transmit it to a remote site.
    3. Invisibly monitor all the sites a user visits and transmit them
       one by one to a remote site (the monitoring persists until the
       user completely exits from Netscape)
    4. Obtain a recursive directory listing of the user's local hard disk
       and any network disks that happen to be mounted.

   In addition, it should be possible to exploit the same holes to grab
   the user's list of subscribed newsgroups and to obtain the contents of
   local disk files.

   Not only is this intrusive, but it represents a systemwide security
   breach. If sensitive system documents (such as password files) can be
   stolen, then the entire local area network becomes vulnerable to break

   There doesn't seem to be any way to turn JavaScript off, so the
   recommended solution is to _use Netscape 1.1 or another vendor's
   browser_. Turning off Java in the Security Preferences dialog box has
   no effect on JavaScript.


"I came to America because I had heard the streets were paved with gold,
and I found three things. One: The streets were not paved with gold. Two:
The streets were not paved at all. Three:I was expected to pave them."
--From Annie Nakao's story on a photography exhibit of American immigrants.
m'e-mail: paz@best.com; pay me a cyber-visit: http://www.best.com/~paz

This message came from the mailing list javascript. For help using the
mailing list software, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.