Tuesday, September 26, 2006

Can AJAX Clean You Out?

If you have Javascript turned on, can a website upload files from your computer without your knowing it? Try any AJAX-based email website, such as Google or Zimbra. Attach a file using the textbox, no dialog, and send the email. If this code can upload a file, then why can't AJAX do the same internally, without the usual social amenities such as asking for your approval?

Zimbra is open source. Whatever they do, anyone can do.

Does this mean that for any website you visit with Javascript on, that website has a wide open straw to your computer? It can't browse (or can it?), but, when it guesses correctly where you have certain files, if I'm not mistaken, it could suck them right up. I hope I am mistaken.

This shocks me. You can install NoScript, which allows you to turn on Javascript for those websites you trust and those websites only. But still, for those you trust, you must trust them utterly. There's no middle ground. There's no sandbox, such as Java has.

Is this a wide open security hole on the client side for AJAX?

AJAX is seductive. Like Paris Hilton, her beauty and riches have gotten her far. But what's this? A DUI?

Update:
(20 Jun 2007) Paris and AJAX jostle for attention. :-)