Why You Can Trust CNET JavaScript hole exposes form data
A Bell Labs security researcher discovers a serious security flaw in the JavaScript language used by popular Web browsers from Microsoft and Netscape.
The hole could allow a malicious Web site to snatch private data that users enter into Web forms, such as passwords, credit card numbers, and Social Security numbers, even after leaving the malicious site. Users are vulnerable to the data theft whether a browser employs encryption technology or a user is behind a firewall, according to Vinod Anupam, the Bell Lab researcher. A site could also exploit the hole to monitor what Web sites a user visits.
Bell Labs discovered the glitch in late June and reported it to Netscape, Microsoft, and the Computer Emergency Response Team (CERT) at the end of the month. Yesterday, CERT, a team of security experts at Carnegie Mellon University, issued an advisory warning of the hole.
"To the best of our knowledge there hasn't been an exploit based on this," Anupam said. "However, the potential for misuse is very real."
Although no users appear to have fallen prey to data theft because of the glitch, at least one site on the Web is demonstrating how it can be used to swipe private data. When a user visits the home page of the site, it uses JavaScript to open a tiny browser window in the corner of a user's screen.
That browser is then used to monitor which sites a user visits through his or her main browser. If, for example, the user purchased a book at Amazon.com using a credit card, the card number would be exposed to the malicious Web site.
The standard encryption techniques used to scramble sensitive data, such as Secure Sockets Layer and SHTTP, do not protect users against interlopers. The JavaScript hole allows sites to pull data directly out of a Web form on a browser before it is encrypted and sent across the Net.
JavaScript is a cross-platform Internet scripting language invented by Netscape that the company has supported since the 2.0 version of its Navigator browser. Microsoft includes a JavaScript "clone" in the 3.0 version of Internet Explorer. Combined, there are tens of millions of JavaScript-capable browsers in use.
Today, Netscape representatives said that they have already fixed the glitch in the 3.02 version of Navigator, posted earlier this week on its FTP site. Users of the company's new Communicator software can download a fix for that browser next week, said Dave Rothschild, Netscape's director of marketing for client applications. Rothschild added that the problem affects browser on all the platforms its supports, including Windows, Mac, and Unix.
However, Kevin Unangst, a product manager at Microsoft, said that the company has found that the bug only affects the Windows 95 and NT versions of its browser. The company will issue a software patch next week to fix the hole in its existing browser and will include a fix in the next beta of Internet Explorer 4.0, due out later this month, he said.
In its advisory yesterday, CERT said that users should install fixes from the makers of their browser or consider disabling JavaScript.
One privacy expert, Dave Banisar, staff counsel at the Electronic Privacy Information Center, said that software companies can't rely on encryption as a safety net to protect data from theft.
"Encryption is only as good as the infrastructure it's implemented into," he said.