Dynamic script tags pose a potential security risk

This flickr blog post delves into the rationale behind the recent enhancements made to the people selector autocomplete feature.

A significant challenge they had to address was the handling of a vast amount of data (i.e., all user contacts) on the client-side. Initially attempting to fetch XML and JSON through AJAX proved to be slow. They then explored the option of loading data via a dynamically created script tag with a callback function:

JSON and Dynamic Script Tags: Fast but Insecure

Recognizing that extensive string manipulation was impeding progress in their previous method, they transitioned from using Ajax to retrieving data through dynamically generated script tags. By employing this approach, the contact data wasn't treated as a string but executed immediately upon download, similar to a regular JavaScript file. The performance improvement was remarkable: 89ms to parse 10,000 contacts (a reduction of 3 orders of magnitude), with even the smallest case of 172 contacts taking only 6ms. Interestingly, the parsing time per contact decreased as the contact list grew. This method seemed ideal, except for one major flaw: to execute the JSON data, it had to be wrapped in a callback function. Since this was executable code, any website could potentially adopt the same technique to retrieve a Flickr member's contact list. This posed a critical security risk. (emphasis mine)

Could someone provide insights into the specific security threat outlined here (perhaps with a sample exploit)? How does loading a particular file via the "src" attribute in a script tag differ from fetching the same file through an AJAX call?

javascriptsecurityjson

Answer №1

This particular question highlights a method that was once successfully exploited to pilfer contact lists from gmail.

When a browser requests data from a domain, it includes any cookie data associated with the site. This cookie data is crucial for user authentication and determining the specific user data to be retrieved.

For instance, every time you visit a new page on stackoverflow.com, your browser transmits your cookie data to the site. This allows Stackoverflow to identify you and present the relevant information.

The same principle applies to loading any content from a domain, whether it be CSS stylesheets or Javascript scripts.

Flickr encountered a security flaw where any website could embed a javascript file hosted on Flickr's servers. As the javascript originated from flickr.com, your Flickr cookie data would be included in the request, enabling the malicious site to obtain sensitive information generated by Flickr.

To better understand the exploit involving the theft of google contacts, you can refer to this article for more clarity:

Answer №2

Imagine if I were to insert an HTML page onto my website with the following content:

<script src="http://www.flickr.com/contacts.js"></script>
<script> // transmit the contact information to my server using AJAX </script>

In this scenario, assuming that contacts.js relies on the session to determine which contacts to transmit, I would effectively possess a duplicate of your contacts list.

Nevertheless, if the contacts are transmitted in JSON format, I would encounter a roadblock in trying to access them from my HTML page. This is due to the fact that such a request would constitute a cross-domain AJAX request, which is restricted. Additionally, I wouldn't be able to retrieve the information from my server either, as I would lack access to your session ID.

Answer №3

To put it simply:

Unauthorized javascript code running on individuals' computers is prohibited from retrieving data from any source other than the website it is running on - web browsers are required to uphold this regulation.

There are no limitations on where code can originate from, meaning if you include data in the code, any website visited by the user can utilize the user's credentials to access their data.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Is it feasible to open and view a STEP file using a three.js file?

Is it possible to read STEP files in three.js for generating 3D PCB components? While the file format is different, STEP files also contain 3D component information. Are there any alternative methods for reading STEP files in three.js? Any suggestions? ...

javascriptthree.jscadstep

Attitude: Defiant and Ignoring Authority

So far, no suggestions have been made, indicating that maybe I haven't properly summarized the issue; The problem arises when I absolutely position the section with the class="container" using an additional class or id specific to that <div>. I ...

javascriptjqueryhtmlcss

Using Android to retrieve and process JSON data for display in a list view

I have a current android project where I am trying to implement a functionality that allows me to display user data into a listview on another activity by pressing only one button. Currently, my solution involves pressing two buttons - one to retrieve JSON ...

androidmysqljson

Achieving a full-height div using CSS and HTML to fill the remaining space

Here is the current layout structure I am working with: div { border: 1px solid } <div id="col_1" style="float:left;width:150px;">1</div> <div id="col_2" style="float:left;width:100px;">2</div> <div id="col_3" style="float:l ...

javascriptjqueryhtmlcss

When using Axios to GET from a local PHP file, it only retrieves the code instead of running

I've run into an issue accessing the API as it has CORS disabled, requiring me to make requests on the server side. Currently, I'm using React and Axios to send a GET request to a local php file that should trigger cURL execution. However, instea ...

javascriptphpcurlaxios

Trouble with AngularJS Controller Displaying/Hiding Content as Expected

I'm struggling to make content disappear when a button is clicked and then show a new set of content upon that button click. I can't seem to get it to work as intended. The first section simply does not disappear when the button is clicked. The s ...

javascripthtmlangularjscontroller

Vue.js2 - Detection of Observer in Array

A question for beginners in vue.js. I am trying to display data using the CanvasJS Library that is received via websocket. Everything works fine with the data until I introduce vue components into the mix. Let me clarify: export default { data() { r ...

javascriptvue.jsvuejs2

Guide on creating a function that accepts an Array of strings as a parameter and displays the initial letter of each element individually on separate lines

I am currently tackling my initial JavaScript assignment which involves the task of creating a function that accepts an array of strings as its parameter and outputs the first letter of each element individually on separate lines. The unique requirement ...

javascriptarraysfunctioncharatfor-of-loop

PHP is used to download JSON data in mobile applications

My iOS and Android app is designed to download data from a database using JSON and PHP. The process involves numerous mysql queries that retrieve information from my MySQL database. Initially, I created an array in PHP to store all the queries and would ac ...

phpmysqlobjective-cjsonservlets

Looking for the child route parameter in Ember - A comprehensive guide

Consider having 2 routes: /products - displays a list of products -/:id - displays details of a specific product When a URL is provided for the above routes, the /products route must be able to access the /:id parameter in order to highlight that prod ...

javascriptember.jsember-router

What is the solution for handling undefined errors that occur when employing d3.select(this) within a Vue methods hook?

Currently, I am in the process of transferring d3 graphs from another project to my personal Vue-based project. Most aspects are functioning as expected, except for aligning labels in the arcs of a pie chart using the arc.centroid(d) method. Two errors kee ...

javascriptvue.jsd3.js

Find out whether the object is located behind another item

Is there a method to determine if elementA is "obscured" by another element, meaning it is not visible to the user? We could potentially achieve this using stacking context, but the challenge lies in identifying which elements to compare. This would requi ...

javascriptbrowser

Is the NPM package not being imported? How exactly is it being utilized?

mediacms-vjs-plugin is a unique plugin designed for Video.js. The MediaCmsVjsPlugin.js source code begins with: import { version as VERSION } from '../package.json'; import 'mediacms-vjs-plugin-font-icons/dist/mediacms-vjs-icons.css'; ...

javascriptnode.jsnpmvideo.js

Is there a way to extract data from a JSON file with dc.js?

As a beginner in programming, I am looking to learn how to import data from a JSON file using dc.js. ...

javascriptjsondc.js

troubles displaying images that have been uploaded in sails

function addFlight(req, res) { Airline.create({ name: req.param('name'), email: req.param('email'), office: req.param('office'), phone: req.param('phone') }, function airlineCreated(er ...

javascriptangularjsexpresssails.js

Optimizing workflow with express.js, backbone.js, and connect-assets for maximum efficiency

As a newcomer to node.js, I'm embarking on the challenge of setting up an application that utilizes Backbone.js on the client-side while being supported by express.js and node.js for server-side extensibility. The lack of online examples showcasing a ...

javascriptnode.jsbackbone.jsexpress

Comparing front end automation between JavaScript and Java or Ruby

Could you provide some insights on why utilizing a JS framework like webdriverio is preferred for front end automation over using Selenium with popular languages like Java or Ruby? I understand that webdriverio and JS employ an asynchronous approach to fr ...

javascriptselenium-webdriverautomationwebdriver-io

Updating node content in jsTree

As a seasoned JavaScript developer transitioning to jQuery, I have encountered an issue while working with jsTree. I am attempting to change the name of a node within the tree but have been unsuccessful so far. Despite trying various examples from differen ...

javascriptjquery

Having trouble with the $.post method not loading my PHP file in my

I followed a tutorial on YouTube to copy the code, adjusted the database connection and SELECT items to fit my existing DB, but I'm struggling to get the JS file to load the PHP file. When I use Chrome's "inspect" tool, it shows that the JS file ...

javascriptphpjqueryajax

Scrollbar becomes inactive following the loading of AJAX content

Having an issue with loading a div using Ajax. The div loads, however the scrollbar within it stops working afterwards. In Main.html, I load content from other HTML files like so: <div id="content1" > </div> The content is loaded as follows: ...

javascriptjqueryhtmlajaxjquery-load