DevX Article: Using AJAX to Spy On You


News: DevX Article: Using AJAX to Spy On You

  1. DevX Article: Using AJAX to Spy On You (12 messages)

    In "Using the XMLHttpRequest Object and AJAX to Spy On You" from, Earle Castledine offers some warning about AJAX: "While the XMLHttpRequest object and AJAX can provide huge user and developer benefits, there are some issues you probably haven't thought about yet—but it's time everyone did."
    Like so many technologies-gone-bad before it, this technology was created for the purpose of good. And until now, the XMLHttpRequest has been so good it could almost be considered saintly, providing users and developers alike with such conveniences as input validation without post-back, text area spell checkers, and Gmail. Interfaces built with AJAX are fun to use and even more fun to program. It's almost hard to imagine that such a miraculous object could ever do wrong.

    But even without the discovery of a giant security hole, the XMLHttpRequest will likely fall from grace. Its fall will be in the form of "user over-profiling" for want of a better description. Currently, user profiling helps Web site owners detect trends, track page viewing habits and iron out usability problems. Until now though, developers could only analyze posted data—data that users decided they wanted the server to get, and were happy to send off for processing.

    But in a subtle shift, this balance of power has changed hands. With AJAX, a user's actions can be constantly and meticulously monitored. Because it can be done, it will be done, and that will lead to a headache bigger than just wasted bandwidth, terabytes of useless information, and slower page load times.

    Threaded Messages (12)

  2. Only asked for[ Go to top ]

    I belive this threat will be gone quite soon as people probably will install "request-stoppers" that halts the brower from send data unless a button is pressed. Just like we now have popup-blockers, firewalls etc etc.

    We just have to wait for the first "hackerattack" using this kinds of technics.
  3. Only asked for[ Go to top ]

    it is a shame that this will probably happen, you could also limit requests to SSL only and not accept untrusted certs. then application data wouldn't be sent in plain text and you would know where the information is going.
  4. Not the same as popups[ Go to top ]

    I belive this threat will be gone quite soon as people probably will install "request-stoppers" that halts the brower from send data unless a button is pressed. Just like we now have popup-blockers, firewalls etc etc.

    I don't believe this is analogous to popups. The reason people have popup-blockers is because popups annoy them. They use secure connections so that untrusted parties cannot see sensitive information, a concern that the average user can understand quite easily. Asynchronous requests are another matter entirely.

    I just cannot see users being concerned that a website could collect information that the users themselves entered into the page. In fact, after working with a number of non-technical clients, I am certain that a large segment of users would be surprised to learn that the web server cannot already see what they type as they type it. Similarly, I just don’t see the majority of users reviewing the client-side scripts before letting them run, so the idea that the scripts could be updated after page load is not going to send users running for the hills.
  5. It's called NoScript and prevents JavaScript, Java and Flash execution from untrusted (not white-listed) sites.
  6. Just give it a name[ Go to top ]

    Many developpers are using the "AJAX way" for a long time but now this has a name and that's the only difference.
    Do you think little "hackers" waited for it to bear a name? No! There are a lot of site using AJAX technique to constantly communicate with their host.
  7. There is nothing in AJAX that makes it more easy to spy than plain HTML and javascript. You still have to collect everything you are intersted in , AJAX is not going to that for you (it is abstract anyway). Do you think that people who want to do this kind of stuff where not already doing so since frames where supported. AJAX is great and it's reputation should not be spoiled by this kind of non-news.
  8. I agree with Dennis. This article is IMHO just FUD. The possability to spy on a user has probably been there since the first javascript-interpreter was integrated in a browser.
    I also don't see that his examples are real-life ones.
    No-one just types into a textfield that he "dropped his iPod" for fun. Regarding false logins, I think that is much more common that someone enters the password, submits the form and only AFTERWARDS realizes that this was the password for a different site.
  9. To be fair, most of the "evil" applications cited above could have been done reasonably well even before the XMLHttpRequest came along.

    nuff said. This single paragraph makes the rest of the article redundant.
  10. Nothing new here. The real thing will surface slowly. Ajax has the potential of more people getting used to execute more complex downloaded code on their browsers. Essentially much the same as that we had with ActiveX and Java before that. Of course, JavaScript in the browser seems like a much better sandbox, but as always, every SandBox can (and will) be broken sooner or later. Yawn.
  11. He's got a point, albeit a fairly tenuous one. The only concrete example that he gives of abusing the capabilities of Ajax is transmitting deleted text from an HTML form. That could be accomplished with plain ol' DHTML too, just add a hidden form field and log all the keystrokes in the text fields of interest. It wouldn't get sent if the user didn't submit the form at all, but otherwise it could be just as damning.

    Let's face it, computers and the internet have the potential to be major civil liberty problems from day one, by making it easier for Big Faceles Authorities to collect lots of information on Joe Citizen. I'll challenge anyone to come up with a recent technology that doesn't have the potential for such abuse.
  12. Web trend capture tools have been able to ,for example, record and log a users mouse movements which is done without AJAX for quite some time, so I think the argument that AJAX is gonna reap awful problems is rather far fetched.
    Whilst AJAX is a tool to make developers life easier, the types of people who write disreputable code are often far more adept at solving the problems AJAX solves without it, unfortunately.

    I'm no terrorist, so I've nothing to hide.


    Cheers and happy coding