Dangers of remote javascript?
Nat Torkington at O'Reilly Radar tells a story that shows how darned sneaky pornographers may be:
Dangers of remote Javascript
As we move to a widget web, where the goodies on your site may not necessarily come from your site, it's worth sparing a thought for security. We at O'Reilly just got bit on perl.com, which redirected to a porn site courtesy a piece of remotely-included Javascript. One of our advertisers was using an ads system that required our pages to load Javascript from their site. It only took three things to turn perl.com into porn.com: (1) the advertiser's domain lapsed, (2) the porn company bought it, (3) they replaced the Javascript that we were loading with a small chunk that redirected to the porn site (note that nothing on or about perl.com changed). Our first concern was that we'd been hacked and "run this remote Javascript" inserted from our servers without our knowledge, but that hadn't happened—our change records and RT logs show we've had that Javascript and advertiser since May 2006.
Now, forgive me for not being a techy, but is this really very different to any domain lapsing and turning into a porn site? I mean, sure there is some javascript involved here - but the upshot is that a domain changed hands and a redirect to porn got in the mix. That happens all the time without a whiff of a widget or any scripting. There are millions of hard coded links embedded around the net and plenty of them turn into porn or other nasty sites every day. That doesn't mean we shouldn't be more careful about embedded javascript, but this isn't some new security hole. It's just the web being the web.
Surely the point is that any visitor to perl.com was re-directed straight to porn.com. No action on the user required. Its not the perl.com domain name that had expired, but one of their advertisers.
Posted by: Matt Mentletv | January 23, 2008 at 03:52 PM
my two cents
tinyurl.com/3yvxks
Posted by: Adnan Siddiqi | January 21, 2008 at 07:06 PM
Hi! It's a variation on simple domain lapsing, but the important thing here is that perl.com never lapsed. A whois search would have shown that perl.com was still owned by Tom Christiansen and pointing to O'Reilly's servers. But when people went to perl.com, they ended up on a porn site. We managed our domains perfectly and still got bitten by a lapsed domain. The scope to be bitten by lapses that aren't your own is what's different here.
Posted by: Nat Torkington | January 20, 2008 at 11:00 PM
I think you're correctly describing a real scenario, but Nat was showing a variant.
Perl.com didn't lapse, and wasn't replaced with a porn site. But perl.com did request content from a lapsed domain.
Ordinarily a request for a third-party GIF banner wouldn't mean that your whole page is redirected elsewhere, but the execution of JavaScript From Strangers is what made perl.com turn entirely into porn.com.
(Rephrased, you wouldn't have to visit a lapsed domain... you'd just visit a good domain, which happened to call dynamic ads from a lapsed domain.)
Posted by: John Dowdell | January 20, 2008 at 10:13 PM