Sunday, January 20, 2008

Dangers of remote Javascript

O'Reilly reported As we move to a widget web, where the goodies on your site may not necessarily come from your site, it's worth sparing a thought for security. We at O'Reilly just got bit on perl.com, which redirected to a porn site courtesy a piece of remotely-included Javascript. One of our advertisers was using an ads system that required our pages to load Javascript from their site. It only took three things to turn perl.com into porn.com: (1) the advertiser's domain lapsed, (2) the porn company bought it, (3) they replaced the Javascript that we were loading with a small chunk that redirected to the porn site (note that nothing on or about perl.com changed). Our first concern was that we'd been hacked and "run this remote Javascript" inserted from our servers without our knowledge, but that hadn't happened—our change records and RT logs show we've had that Javascript and advertiser since May 2006.
This happened to me to. In my case a couple of pages were using a widget that reported the geographical location of visitors, and that company went out of business and Network Solutions grabbed their domain, and replaced my websites with web pages promoting Netwoek Solutions. I thought for a while my domain names had expired and they had grabbed them.

No comments: