Interesting People mailing list archives
IP: Java security ????
From: Dave Farber <farber () central cis upenn edu>
Date: Fri, 23 Feb 1996 11:44:36 -0500
From: ethan miller <elm () cs umbc edu> Apparently, someone has already figured out how to use the (supposed) secure Java language to do spying. This is important because it doesn't rely on *any* bugs in Java; it merely takes advantage of a design flaw (a Java script doesn't automatically get turned off when you go to another page). ------- Forwarded Message Date: Thu, 22 Feb 1996 16:08:35 -0800 From: Tom Phelps <phelps () CS Berkeley EDU> To: net.cool () ginsberg CS Berkeley EDU Subject: JavaScript in Netscape 2.0 shouldn't let me do this, but it does JavaScript in Netscape 2.0 shouldn't let me do this, but it does John Robert LoVerso, OSF Research Institute After you've visited one of my pages, any of my JavaScript ought to get scrubbed out of your browser's memory. You wouldn't want that code to live on, snooping, spying, or stealing? This is a simple example where I engage some JavaScript that runs in a (mostly) hidden window. This window persists, and hence, the JavaScript I wrote persists. From then on, it wakes up every second and sees what page you are viewing. If you've changed pages, it reports where you now are back to me via a CGI, which saves information like this: (The rest at http://www.osf.org/~loverso/javascript/track-me.html) AND From: dmd () gradient cis upenn edu (Douglas DeCarlo) In case you aren't aware of this yet, have you seen these privacy problems which are in JavaScript in Netscape 2.0 (even after people raised concerns in the beta versions)? Such as a mailto upon loading a page (the page owners get mail from you when you visit this page): http://www.popco.com/grabtest.html Or even more intrusive, a script that reports what other pages you visit (well, it does require another window, but the author claims it can be hidden well): http://www.osf.org/~loverso/javascript/track-me.html So much for private browsing.. :) - Doug
Current thread:
- IP: Java security ???? Dave Farber (Feb 23)