There are few of us in life who really want to dig into the nitty gritty details of how things work — to visit the proverbial “sausage factory” that makes our favorite food, assembles our cars, or puts cheap gadgets on the shelves at Best Buy and Target.
Yamanner first appeared on June 12 and targets users of Yahoo Web-based e-mail program. It exploits a previously unknown cross site scripting hole and uses AJAX to raid a victim’s Yahoo Mail contacts. The worm’s appearance is evidence that malicious code writers are using AJAX and other dynamic Web development techniques to create stealthy Web-based attacks, said Billy Hoffman, lead research and development engineer at SPI Dynamics, a Web application security company.
The worm should be a wake-up call to software developers and Webmasters that more Java and AJAX exploits will be coming, according to a blog post by Michael Haisley, an incident handler for the SANS Internet Storm Center.
Web developers need to pay close attention to input validation and take reports of cross site scripting holes more seriously, Hoffman said. Companies enamored of “gee-whiz” Web applications from Google should also think carefully and plan before porting business applications to the Web, he said.
“When you push business logic to the client side, you’re allowing attackers to see data types and input ranges that hackers would ordinarily need a complicated disassembler to see,” Hoffman said.