AJAX Is An Open Door to Online Attacks

This is the opinion of online security specialists about the worm that reeked havoc in Yahoo mail. Although Yahoo had contained the infection within 24 hours and fixed the HavaScript vulnerability that allowed Yamanner to spread using its e-mail services and tried to minimize the damages caused and the number of affected users, the truth is that the worm's impact is at a greater level. For the first time one of the three main e-mail services providers was successfully targeted by an online attack that took advantage of the holes opened by AJAX (Asynchronous Javascript and XML).

The worm exploited a cross site scripting vulnerability and used AJAX to raid the contacts saved by the victim in Yahoo Mail. Yamanner is in fact malicious JavaScript attached to a standard HTML image tag, making it undetectable to Yahoo's filters. Once the message was opened and the image finished loading, the malicious code was executed and started to contact Yahoo's servers in order to replicate itself via the user's account.

Compared to traditional web technologies, Asynchronous JavaScript and XML (AJAX) used to create dynamic and interactive content that opens holes in otherwise secure applications or amplifies the ones already in existences, creating opportunities to such attacks as SQL injections, cross site scripting and denial-of-service attacks that cripple a network with traffic to the point where it collapses. All these are possible because the web applications fail to follow to the end the embedded JavaScript elements. There is a growing concern surrounding the security issues related to the introduction of more and more AJAX content in web applications.