[kwlug-disc] DuckDuckGo.com -- an alternate search engine

Eric Gerlach eric+kwlug at gerlach.ca
Wed Jul 28 10:05:20 EDT 2010


Excerpts from Ralph Janke's message of Tue Jul 27 12:32:51 -0400 2010:
> I am not sure what the resistance against javascript in general is.
> 
> javascript allows to let certain parts of the code being executed in the 
> client instead of the server. This allows a smoother user experience 
> (i.e. not every user interaction requires a new page being rendered). Do 
> you need this for every application - no. However, it can increase the 
> usability, to allow i.e. auto-completion of your input.

I've been thinking about this since our discussion last night, Ralph,
and I've thought of a few more Javascript-specific attacks that *don't*
involve your machine being taken over, but are still problematic.

Attack #1: Using existing logins

- You're logged into a site you care about (let's say your bank, or
  launchpad)
- Malicious Javascript looks through your history (yes, it can do this)
  to find recently visited sites that it knows about
- Code navigates your browser to that site (in an invisible iframe) to
  see if you're logged in.
- If you are, it starts GETting and POSTing things to do its nefarious
  work

attack #2: Clickjacking

http://en.wikipedia.org/wiki/Clickjacking

Attack #3: Tabnapping

http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

So whereas in our conversation, you're mostly right, you're not likely
to get pwned by Javascript, you can still get phished.  Which is
arguably just as bad.

Cheers,

Eric




More information about the kwlug-disc mailing list