The Dangers of Remote Scripting

Nat Torkington over at O’Reilly Radar has made a post on the “dangers of remote scripting:“ We at O'Reilly just got bit on perl.com, which redirected to a porn site courtesy a piece of remotely-included Javascript. One of our advertisers was using an ads system that required our pages to load Javascript from their site. It […]

Nat Torkington over at O’Reilly Radar has made a post on the “dangers of remote scripting:“

We at O'Reilly just got bit on perl.com, which redirected to a porn site courtesy a piece of remotely-included Javascript. One of our advertisers was using an ads system that required our pages to load Javascript from their site. It only took three things to turn perl.com into porn.com: (1) the advertiser's domain lapsed, (2) the porn company bought it, (3) they replaced the Javascript that we were loading with a small chunk that redirected to the porn site (note that nothing on or about perl.com changed). Our first concern was that we'd been hacked and "run this remote Javascript" inserted from our servers without our knowledge, but that hadn't happened—our change records and RT logs show we've had that Javascript and advertiser since May 2006.

After seeing Rasmus's excellent talk on web security at OSDC, I realize that in many ways we were lucky—once an attacker can run Javascript on your browser, very bad things can happen.

JavaScript, Security, Remote, Scripting, Danger, Widgets