Google Goes On Offensive vs. JavaScript Attacks

alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months. Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript. 'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."

JS in email text?

[mapkinase]

User should just have an option to execute or not JS in the email text. Problem solved.

Re:JS in email text?

[yincrash]

What legitimate reason is there to accept JS? Your friend isn't going to send you javascript, and a mailing list that uses HTML still has to cater to as many clients as possible which means they still use tables for layout.

Re:JS in email text?

[Monkeedude1212]

Your friend isn't going to send you javascript

You clearly don't hang out with my group of friends.

Re:Scheme

[vbraga]

JavaScript itself is not problem, even if "use strict" would come handy. The biggest problem is DOM and other associated APIs a JavaScript programmer must deal with. It's horrible. But along good practices (Crockford's Javascript The Good Parts come to mind) it is a very nice language to deal with.

Take a look at Crockford's JavaScript: The World's Most Misunderstood Programming Language for reference.

Re:Who the F*** has javascript turned on their mai

[GNUALMAFUERTE]

Nobody is allowing javascript in emails. This is a BUG in Gmail's code, not the user's fault. You use a browser to see your email. Spammers managed to somehow escape JS code and pass it through all of google's filters and execute it in your browser.

Re:Who the F*** has javascript turned on their mai

[interkin3tic]

I'd say that people that stupid deserve whatever they get, except that they are likely to do damage to other systems than their own.

As always, this sentiment annoys me.

Ignorance may be annoying, but it doesn't mean someone "deserves" any misfortune. No one is born knowing "I should not enable javascript in my e-mail." If this slipped through google, who I expect to be better than the average user, who the hell are you to say the average user should have known better and deserves it?

Re:Who the F*** has javascript turned on their mai

[weicco]

I just tested this. I send a message to my Hotmail box with HTML file as attachement. HTML file contains single script tag with document.location = 'http://google.com' inside. I opened the mail and opened the attachement. Internet Explorer asks if I want to save "test.html" or open it. This should ring bells big time but I understand that normal user doesn't get it and goes and opens the attachment. So I went and clicked Open and was redirected to google.com.

Now if I save the file and try to open it from the local folder I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run. If I go and allow the script then I'm at google.com again.

It seems that this is a simple, direct and rather effective attack against Joe Averages who just want to get rid of the stupid warning dialogs and open up everything that is sent to them. If Google can come up with a generic solution for this, other than try to rip off every HTML tag from the mails and their attachements, I really applaud them.

Maybe the browser shouldn't be allowed to be redirected outside the current domain by default? But then again, there would have to be warning dialog for that and Joe Average would still be out of luck.