Yahoo worm demonstrates AJAX threat

There are few of us in life who really want to dig into the nitty gritty details of how things work -- to visit the proverbial “sausage factory” that makes our favorite food, assembles our cars, or puts cheap gadgets on the shelves at Best Buy and Target.

The same is true on the Web. In the last two years, we’ve all been wowed by new Web-based applications like Google Maps and the Web application development techniques like AJAX (Asynchronous Javascript and XML) that make them possible. How many of us really want to think about the possible vulnerabilities that cool new tools like AJAX introduce while they’re doing all that magic behind the scenes?

But a new Javascript e-mail worm may be a sign that our romance with what’s been dubbed “Web 2.0” and the tools like AJAX that make it possible could be coming to an abrupt end.

Yamanner first appeared on June 12 and targets users of Yahoo Web-based e-mail program. It exploits a previously unknown cross site scripting hole and uses AJAX to raid a victim’s Yahoo Mail contacts. The worm’s appearance is evidence that malicious code writers are using AJAX and other dynamic Web development techniques to create stealthy Web-based attacks, said Billy Hoffman, lead research and development engineer at SPI Dynamics, a Web application security company.

Yamanner’s author or authors figured out how to attach malicious Javascript to a standard HTML image tag in a way that fooled Yahoo’s malicious code filters. Once a Yamanner message was opened and the image finished loading, the malicious code was run, and AJAX was used to silently connect back to Yahoo’s Web server and send out copies of the virus through the victim’s account, Hoffman said.

In October 2005, a Javascript-based worm called Spacehero circulated widely on the MySpace network and used AJAX to add the worm’s author, “Samy,” to the “friends” list of millions of MySpace users. Yamanner is a variation on the same theme, and the first evidence of an AJAX threat hitting one of the “big three” Webmail providers, Hoffman said.

The worm should be a wake-up call to software developers and Webmasters that more Java and AJAX exploits will be coming, according to a blog post by Michael Haisley, an incident handler for the SANS Internet Storm Center.

Web developers need to pay close attention to input validation and take reports of cross site scripting holes more seriously, Hoffman said. Companies enamored of “gee-whiz” Web applications from Google should also think carefully and plan before porting business applications to the Web, he said.

“When you push business logic to the client side, you’re allowing attackers to see data types and input ranges that hackers would ordinarily need a complicated disassembler to see,” Hoffman said.