A recent trend in computer insecurity has been the growing prevalence of malicious javascripts with cross-site scripting hacks that exploit web browsers that are already logged into Facebook to do things to the user’s Facebook account they had no intention of doing.
Cross-site scripting hacks are potentially dangerous because they take advantage of your being still logged into a site (like Facebook, or your GMail account, or your bank) when you have closed or back-grounded that window and are visiting another site where the mal-ware lives… and the mal-ware knows how to manipulate the account you are still logged in on to do things you did not agree to.
Most commonly this is relatively harmless spam creation (the malicious javascript at MyLike.com checks to see if you are still logged into Facebook, and if you are it posts to Facebook as if you were doing it yourself, a bunch of “Likes” that you never really know about unless your friends comment about it), but it can also be used to pull information you did not with to share from your other accounts and even move money from your online banking account if you are still logged into it.
It is very important that you log out of sites when you are done with whatever transaction.
It is also important that you do not blindly trust all Javascripts and Flash executions that are coming in from random websites…. for this problem will be endemic as long as people allow javascript and flash execution by default on their web browsers.
HTML5 has great promise in eliminating the need for so much Javascript and Flash; but it is taking a while to catch on because web site designers are busy or simply too lazy.
For the interim, it is absolutely necessary to get a Javascript white-listing extension for your web browser; one that blocks all javascripts except those you specifically want to trust and run. It is also recommended you treat Flash content the same way and only allow Flash that you specifically trust; not as many Flash exploits have been discovered, yet… but they will show up as soon as everyone has blocked their Javascript security holes.
Sadly, there are not Javascript white-listing extensions available for all browsers, yet….
The one I know of is NoScript for Firefox, and it works much like Zone-Alarm (firewall) used to work for Windows (white listing applications that tried to get internet access, or black-listing them).
I’d love to know of other Javascript white listing extensions for other browsers.
So far, Safari has none. Firefox and all the Mozilla browsers can use NoScript. I have never tried Chrome, so I don’t know yet.
Running any white-lister requires a little patience, because using it properly means the default is to trust no one, and only allow those domains you know you both need and trust. That means that most websites will NOT work when you first install your white listing agent… and you’ll have to accept that the site is broken, or trust it’s javascripts explicitly… it requires a lot of patience at first and awareness.
It is, however, the only way to stop these crappy click-jacking cross-site script hacks.
Post a Comment