Thursday, October 05, 2006

JavaScript Intranet Scanner

In "Other Things" blog I've found a link to a PDF document which describes a very disturbing security issue with JavaScript:

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.
This scenario is no longer one of fiction.


The document provides more information on how this can be achieved (though the link to their demo page doesn't work, so I can't guarantee that this is not another joke). If the approach, described in this paper, works - then it's scary. It seems like the only possible solution is to turn off JavaScript support in browser and turn it on only for selected sites, which will make Ajax and other modern Web technologies significantly less appealing.

Again, I didn't check the information yet - but the explanation in the document seems realistic enough.

Technorati tags: ,

5 comments:

Anonymous said...

I am skeptical of this. How is the JavaScript supposed to get through the password and ID required to access the router settings? What point is there for someone in let's say Russia to be able to turn off your encryption? If you are running a software firewall you are still protected up to a point.

Aleksey Linetskiy said...

Dmitriy, thanks for the great comment! I agree that this article is unnecessary panicky, and that it's not the end of the world. Couple of notes:

1. Java applets and Flash, while running in a browser, are running in a sandbox, which, if I remember correctly, prohibits them from connecting to any host other than the originating one. So, they are not suitable for this kind of attack.

2. As you pointed out, the script - at least in its current version - is good only to scan very simple networks with default settings - basically, we are talking of poorly configured home networks. It makes the script not very useful for any kind of targeted attack - but it's still perfectly useful for getting into a huge number of simplistic home networks. The payload, of course, should be different - you suggested one possible payload, and, probably, there might be more interesting scenarios. The problem with dynamic IP is not relevant - the broadband providers change users' IPs quite infrequently.

3. Taking all aforementioned in consideration, you may ask me - why did I pay attention to this panic? Well, I think that the most interesting thing here is that the attack is unusual and is using one of the fastest developing technologies. The situation is, in my opinion, somewhat similar to the time when the first macro virus appeared. Ther users didn't stop using Word or Excel - but there were several quite harmful pandemies and some of the security paradigms had to be changed.

Anonymous said...

It's a bunch of HOOWY!
YES it "gets" your "home" IP addess of your router..... NO, they have NOT proven that the information is even "passable" to another area/site.. AKA.. Just because I can see my info DOESN'T mean YOU can see my info.

ALSO...... Using Firefox.. It brought up my "password" prompt for my router. IF I have changed the password (some idiots or newbies don't), then NOONE can get into my router UNLESS they are willing to try to "break" my password.

TOOO much trouble for nothing. The ONLY ones who would suffer are again the IDIOTS who think they are tooo good to do what a "tech" tells them to do, OR someone that has NO IDEA how to use a router or a computer SAFELY, BUT still had one hooked up for them.

Aleksey Linetskiy said...

Yes, but there are quite a lot of those idiots. And they, in turn, can be used to harm even gurus.

business card scanner  said...

All the customers of the site scanner can also contact Go Daddy's Customer Security Advisers. It is a dedicated team of world class security experts available to answer questions and also provide best solutions to your problems. There is lot of customers and small businesses depend on Go Daddy as their personalized security department