JavaScript is popularly used by millions of developers around the world to build websites and mobile apps. However, according to researchers from the John Hopkins Information Security Institute, thousands of websites created with JavaScript are susceptible to a security loophole which could lead to manipulation of the site’s URL or hacking and stealing the profile information of a user.
Referred to as ‘prototype pollution’, this loophole allows hackers ‘pollute’ a prototype (a built-in property of a JavaScript). An altered JavaScript prototype can lead to execution of different malicious actions.
With an architecture called the ‘ProbeTheProto’, the John Hopkins researchers examined one million JavaScript websites and discovered that over 2,700 had multiple loopholes which could expose them to prototype pollution. Some of these websites were some of the most visited in the world including Weebly.com, CNET.com, and McKinsey.com.
‘Organizations don’t even know these vulnerabilities exist. Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks and we’ve found that many developers are happy that we are helping them stay ahead of cybersecurity threats,’ said Yinzhi Cao, Assistant Professor of Computer Science in the John Hopkins Whiting School of Engineering.
‘Only recently have researchers started looking closely at prototype pollution and realizing it’s a matter of great concern. Many in the developer community may not be aware that prototype pollution vulnerabilities can have severe consequences.’
In JavaScript, an object is referred to as a collection of related data or functionality. For instance, a user account object usually contains such data as passwords, usernames and email addresses. Once the object prototype is altered, it will affect how the object functions in the application and could also lead to more vulnerabilities, added Cao.
Cao and his research team studied this effect using dynamic taint analysis— a method in which the applications inputs are labeled with a ‘tainted’ marker. They observed how the tainted data moves across the program. If the marker is still present at the program’s output, the researchers know that the application is susceptible to input attacks.
‘Imagine a very long pipe in a big black box and I want to know whether Points A and B are connected. If they are, I can put some toxic liquid at Point A to attack Point B. What we do is to drop a bit of red dye in the water at Point A and then observe the water color at Point B. If I can see Point B is also red, I know A and B are connected and then we can launch attacks,’ said Cao.
The three major input attacks that prototype pollution can cause were identified by the researchers: URL manipulation, cross-site scripting (XSS) and cookie manipulation. These susceptibilities allow attacks steal passwords and install virus.
Cao believes researchers have a responsibility to report prototype pollution susceptibilities to owners of websites and possibly recommend a good patch for their code. So far, 293 susceptibilities have been fixed by developers.
By Marvellous Iwendi.
Source: HUB