Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Goes On Offensive vs. JavaScript Attacks

Posted by CmdrTaco on from the isn't-most-javascript-offensive dept.

alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months. Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript. 'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."

28 of 108 comments (clear)

  1. JS in email text? by mapkinase · · Score: 4, Insightful

    User should just have an option to execute or not JS in the email text. Problem solved.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
    1. Re:JS in email text? by yincrash · · Score: 4, Insightful

      What legitimate reason is there to accept JS? Your friend isn't going to send you javascript, and a mailing list that uses HTML still has to cater to as many clients as possible which means they still use tables for layout.

    2. Re:JS in email text? by Monkeedude1212 · · Score: 4, Funny

      Your friend isn't going to send you javascript

      You clearly don't hang out with my group of friends.

    3. Re:JS in email text? by VGPowerlord · · Score: 2, Informative

      I hate to say it, but Cheap Canadian Online Pharmaceuticals is not your friend.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  2. Don't want to post OT but... by bannable · · Score: 2, Funny

    ...could this site have *any* more ads? Good lord, 15 seconds and there have already been THREE inline popup ads and a redirect ad, in addition to all the crap surrounding the article.

    --
    "If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
    1. Re:Don't want to post OT but... by BJ_Covert_Action · · Score: 2, Funny

      Well, it is a story about Google. =P

      --
      Motorcycles, Robots, Space Gossip and More!
    2. Re:Don't want to post OT but... by Anonymous Coward · · Score: 3, Funny

      Don't worry, you were completely on topic, even if you didn't know it. The topic is disabling javascript to prevent bad things on the Internet.

    3. Re:Don't want to post OT but... by kdemetter · · Score: 3, Insightful

      Going outside doesn't really help : plenty of ads there , and adblock doesn't work on them .

      --
      Slipping shoelaces ?
  3. Who the F*** has javascript turned on their mail? by mark-t · · Score: 3, Insightful

    Like, wow... just wow.

    I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

    So here's a quick question, who on earth thought it would be a good idea to even *allow* javascript to run in an email?

    --
    File under 'M' for 'Manic ranting'
  4. Re:Scheme by vbraga · · Score: 5, Interesting

    JavaScript itself is not problem, even if "use strict" would come handy. The biggest problem is DOM and other associated APIs a JavaScript programmer must deal with. It's horrible. But along good practices (Crockford's Javascript The Good Parts come to mind) it is a very nice language to deal with.

    Take a look at Crockford's JavaScript: The World's Most Misunderstood Programming Language for reference.

    --
    English is not my first language. Corrections and suggestions are welcome.
  5. Anyone using most email clients? by name_already_taken · · Score: 3, Interesting

    Don't most email clients that display html format messages use one of the popular rendering engines, like Webkit? Presumably the html portion of the message is just passed to the rendering engine and the javascript magic happens.

    --
    Putting moderation advice in your .sig lowers your karma!
    1. Re:Anyone using most email clients? by amicusNYCL · · Score: 2, Informative

      In this case the email client is the web browser. I'm not sure if gmail allows you to disable HTML in the emails you receive.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Anyone using most email clients? by JxcelDolghmQ · · Score: 2, Funny

      I'm quite certain that it would be counterproductive to turn off HTML rendering in the most popular email client for gmail: The web browser.

  6. Nice way to hide a vulnerability ... by GNUALMAFUERTE · · Score: 3, Informative

    TFA should have read: "Google has found a vulnerability in its gmail code that could be used to execute arbitrary JS code in the user's browser".

    Instead, they played that down and used the "we are fighting JS attacks" phrase as if that was normal or common.

    Failing to properly escape JS/HTML/CSS in a webservice is a MAJOR vulnerability.

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?
    1. Re:Nice way to hide a vulnerability ... by IamTheRealMike · · Score: 3, Informative

      No, the JavaScript is in an attachment. It's not being rendered by any email product.

  7. Re:Who the F*** has javascript turned on their mai by Wiarumas · · Score: 2, Insightful

    I'd assume a vast majority of people don't even know what javascript is let alone why it is potentially dangerous. Sometimes you have to consider your users - which sometimes means you have to consider the ignorant, non-technical masses (ie: email users). Sure, you can feed them to the wolves, but it will come back and bite you somehow.

    --
    I will bend like a reed in the wind.
  8. Re:Who the F*** has javascript turned on their mai by GNUALMAFUERTE · · Score: 5, Informative

    Nobody is allowing javascript in emails. This is a BUG in Gmail's code, not the user's fault. You use a browser to see your email. Spammers managed to somehow escape JS code and pass it through all of google's filters and execute it in your browser.

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?
  9. Re:Who the F*** has javascript turned on their mai by Qzukk · · Score: 2

    This is a BUG in Gmail's code, not the user's fault

    LOL no. I've been getting these spams for a week or so now. It looks like the usual undeliverable mail message, "see attachment for details", but instead of the attachment being an email message it's an HTML file. So the user clicks on Returned Mail.html and goes wherever the javascript takes them.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  10. Re:Who the F*** has javascript turned on their mai by interkin3tic · · Score: 5, Insightful

    I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

    As always, this sentiment annoys me.

    Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?

  11. Re:Who the F*** has javascript turned on their mai by weicco · · Score: 4, Informative

    I just tested this. I send a message to my Hotmail box with HTML file as attachement. HTML file contains single script tag with document.location = 'http://google.com' inside. I opened the mail and opened the attachement. Internet Explorer asks if I want to save "test.html" or open it. This should ring bells big time but I understand that normal user doesn't get it and goes and opens the attachment. So I went and clicked Open and was redirected to google.com.

    Now if I save the file and try to open it from the local folder I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run. If I go and allow the script then I'm at google.com again.

    It seems that this is a simple, direct and rather effective attack against Joe Averages who just want to get rid of the stupid warning dialogs and open up everything that is sent to them. If Google can come up with a generic solution for this, other than try to rip off every HTML tag from the mails and their attachements, I really applaud them.

    Maybe the browser shouldn't be allowed to be redirected outside the current domain by default? But then again, there would have to be warning dialog for that and Joe Average would still be out of luck.

    --
    You don't know what you don't know.
  12. Pedantic by amicusNYCL · · Score: 2, Informative

    If Google is responding to existing attacks, wouldn't they be going on the defensive?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  13. Amazing by dr.+chuck+bunsen · · Score: 3, Funny

    This is the exact reason that I NEVER use the internet. Just too dangerous these days...

    1. Re:Amazing by mcgrew · · Score: 3, Funny

      You're telling me! I damned near broke my wrist last week!

      --
      Free Martian Whores!
  14. I'm still waiting for... by pongo000 · · Score: 2, Insightful

    ...an effective attack vector against mutt.

  15. Postini is NOT GMail by RandomFactor · · Score: 2, Informative

    Because of the confusion that seems rampant...

    Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.

    --
    --- Mercutio was right.
    1. Re:Postini is NOT GMail by stacysmomsmokesabong · · Score: 3, Informative

      Because of the confusion that seems rampant...

      Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.

      Interestingly enough, Gmail doesn't use Postini unless you purchase Google Apps Premier and enable Postini for GApps Gmail. Gmail by itself uses its own independently developed anti-spam technology. This is straight from the horse's mouth @ Google Enterprise Support.

  16. plain text by SgtChaireBourne · · Score: 3, Insightful

    plain text : it was good enough for Shakespeare

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
    1. Re:plain text by Anonymous Coward · · Score: 2, Funny

      Nonsense, Shakespeare mainly wrote scripts. And to this day, there are problems executing them properly.