Is JavaScript Safe
With so many major security breaches relating to JavaScript these days, you may have questions. Some people may have the erroneous view that JavaScript itself is a virus. That certainly isn’t true – And the notion that JavaScript is dangerous is only partially correct. JavaScript certainly can be dangerous, but only when users aren’t cautious. Hackers can use it to automatically steal your data without you ever being aware of it. Since JavaScript is so widespread and useful, this can leave you vulnerable to attacks.
Any computer that you or your business has connected to the internet could potentially be at risk. That’s why it pays to be aware of JavaScript and what could make it dangerous.
What is JavaScript? How Does JavaScript Work?
JavaScript is a powerful computer scripting language. Unlike C or C++, it does not need a compiler. The code runs right out of your browser. JavaScript alters the Domain Object Model (DOM) of a website. This is parsed from the HTML and CSS and creates the website. Once the website is created in your browser, JavaScript then acts on the DOM once CSS and HTML finish loading. Because of this structure, it can present many opportunities to attack users.
However, simply disabling JavaScript isn’t always the best solution. This removes some site security and usability features. Beyond this, some exploits can run whether JavaScript is enabled or not. So how do hackers use JavaScript? Here are some common attacks.
Keylogging with JavaScript
In 2012, researchers for Facebook studied 5 million users in the US and Great Britain. They wanted to find out how often users deleted posts that they started writing. To do this, they ran a small JavaScript function that tracked the text entry fields. While the researchers insisted no keystrokes were recorded, it was clear that this was possible. Imagine website recording keystrokes even if you don’t send anything!
History Tracking
Keylogging is only one angle of JavaScript’s tracking abilities. Using browser cookies, companies and hackers can track you across websites. A popular example is the Facebook “Like” button. The button uses JavaScript to function. When the button loads, the script executes. This allows Facebook to gain information like what website you’re visiting.
Arbitrary Code Execution
This is the big one that terrifies people. Cross-site scripting (XSS) allows hackers and bad actors to inject malicious code into legitimate websites. It used to be common practice for banner ads to contain XSS attacks, installing malware simply for visiting a website. This even happens to major companies. For example, Twitter was once infected with the StalkDaily worm through XSS. More subtle applications persist today. For example, XSS running on a financial website could give hackers sensitive financial data.
How Can You Defend Against JavaScript Attacks? Can I make JavaScript Safe?
It’s a two-party responsibility here. Web developers must use secure practices, and users need to be vigilant. Using an up-to-date browser, certain ad blocking extensions, and security services can go a long way. It is also important to scan for malware regularly and read up on current threats. You should also avoid websites you don’t trust or recognize and disable JavaScript if a website looks suspect.
Sometimes vulnerabilities in certain programs are found that require time to fix. Because JavaScript code can run arbitrary code on your machine, it’s important to know which of your apps use JavaScript libraries that may be compromised. JavaScript isn’t going anywhere, and it does more good than harm. Learn to stay safe on the web, and even JavaScript attacks won’t touch you. If you need advice on ensuring your company is safe, contact Arruda Group.