CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Internet

Bug hits Communicator, anonymizers

A recently discovered hole in services that let users surf anonymously leads to a confusing round of finger-pointing as the players assess the risk to users.

A recently discovered hole in services that let users surf anonymously has led to a confusing round of finger-pointing as the players assess the risk to users.

So-called Web "anonymizers" work by acting as proxies for Web surfers or by rewriting Web pages that users request. This prevents Web sites from gleaning any information, such as an Internet Protocol (IP) address, from the visitor or transmitting cookies to the client hard drive.

In two holes discovered by security maven Richard Smith, president of Phar Lap Software, users are either bounced out of their "anonymized" Web environment or have their IP address and host name revealed.

At the heart of the anonymizers' problem is JavaScript, a scripting language developed by Netscape Communications for executing actions on a Web page without user interaction. JavaScript, which is unrelated to Sun Microsystems' Java programming language, makes Web pages more flexible, but it has wreaked bug havoc for the browsers, which have fended off numerous JavaScript-related privacy and security problems.

Anonymizer.com, the highest-profile anonymizing service, strips all JavaScript out of Web pages to minimize security risks. But the exploit demonstrated by Smith bypasses that safeguard by planting JavaScript commands inside the text field of an input field of a form--a place JavaScript commands ought not to be allowed in the first place, according to Anonymizer.

"We've tested the bug reported under [Microsoft's] Internet Explorer, and it does not exist with version 5.0," said Anonymizer president Lance Cottrell. "It doesn't work with Opera, either. Our feeling right now is that since Communicator is the only browser doing it, it's a Netscape bug."

Netscape said it was looking into the problem and could not immediately comment on it.

Cottrell said his company would implement a fix tonight. He also noted that the exploit Smith demonstrated is easy to detect, since the Anonymizer interface falls away as the user is bounced out of the anonymized environment.

Another anonymizing service, Lucent Technologies' Personalized Web Assistant, does not strip out JavaScript but instead advises users to turn JavaScript off in the browser if they're concerned about security issues.

"I don't think the solution for a proxy service is to remove all JavaScript, because that decreases the functionality of sites and the value of the whole service," said Alain Mayer, research scientist at Bell Labs, a research arm of Lucent. Mayer said future implementations of JavaScript may feature more flexible ways of controlling how the technology is used depending on where a user surfs.