Yahoo plugs email hole but web services issue highlighted

Stan Beer
Thursday, 15 June 2006 15:09

Business IT - Security

The world's 200 million or so Yahoo email users can breathe a little easier today because the global internet company says it has plugged a potentially dangerous hole in its system that allowed a dangerous JavaScript worm to infect email users' computers.

The vulnerability enabled the worm, called Yamanner to infect a computer and proliferate via its email address book to other Yahoo Mail users merely by opening the email message.

Yamanner exploits a vulnerability that enables scripts embedded in HTML e-mails to be run by the user's browser. Yahoo Mail normally blocks JavaScript programs but there was one script it allowed which concerned uploading images in emails to the server. Yamanner substituted its own JavaScript code for the image handling script.

The Yahoo Mail vulnerability and its relation to JavaScript has raised the issue over security related to the provision of web services that use JavaScript.

Yahoo, Google and other companies have already released products to the market based on the current web services technology flavour of the month AJAX (Asynchronous JavaScript And XML). Google Calendar and Google Spreadsheet are the latest examples. More such online web services are in the pipeline. According to a report in Information Week, the proliferation of AJAX in online applications could provide fertile ground for hackers because a JavaScript application is very difficult to protect.

For users interested in downloading the plethora of free online applications now on offer from internet companies, the news that many the applications may not be safe will be discomforting. The Yahoo incident demonstrated that it is possible for hackers to replace a resident JavaScript program with another malicious JavaScript program which in turn can launch a rogue website. If nothing else, this could well put a significant kink in the best laid plans of the providers of web services.