JavaScript exposing information via the Web

johnbaxterlists (apparently) - 10:54am Aug 28, 2007 PST
via email



On Aug 27, 2007, at 4:41 PM, TidBITS Editors wrote:

> Contact information on any site that contains email addresses is
> equally exposed. When I used Ferret and Hamster to grab my Gmail
> session, I noticed in browsing the useful information Hamster had
> intercepted that my entire list of email addresses for my Gmail
> contacts was present - that's information Google passes to enable
> JavaScript-based instant fill-in as you start typing an email
> address or name.

This lesson was learned years ago by Verizon (the telco part, not the
wireless part, although the wireless part may have benefitted),
because of a massive blunder by Bell Atlantic IT folks. (Sometimes
mergers finalize at quite inconvenient times--Verizon got the bad
press for Bell Atlantic's error.)

The customer's account management page passed the account information
to the browser BEFORE authentication as data in a large JavaScript
script. (In essence, the customer said "I want to look at my account
on xxx-555-1212" and the data arrived.) The user authenticated
(internally to the script) and then had access to the information in
the script--name, address, billing address, payment information, etc--
the sort of thing you would expect--all without bothering the
server. Clearly, if you wanted to change something, the server was
involved at some point.

There was even information that the script wouldn't reveal, such as
the "problem customer flag" which warned telephone support folks of a
customer who, well, had caused problems from the company's point of
view.

So all one had to do to get all this information, for regular
numbers, non-published numbers, etc was to ask for it by number and
capture and parse the JavaScript script.

When Verizon was notified of the problem, they very quickly reacted--
by leaving the problem page in place but removing the links to if
from the site. So if you knew the URL from previous adventures, you
could still get the information. They did eventually pull the page.

It's unfortunate that Google didn't remember this episode. (I'm not
sure of the timing--Google may not have existed yet--Gmail certainly
didn't, but Google's people were reading news. So probably no
corporate memory, but surely some people memory could have happened.)

The timing was essentially the same as when the last step happened
(to me) in USWest cellular (sold to) CellularOne (merged into)
Verizon Wireless, although Verizon Wireless was always distinct from
Verizon telco and had different constituent parts.

The above is my memory of mainstream press reports (blog? what's a
blog?) at the time. My memory is suspect; mainstream press reports
have been suspect since well before Gutenberg's invention gave the
news trade its name "press". So it's nearly certain that there are
details wrong above although the general nature of the blunder is
right. (I keep having the feeling I left a step out of USWest-->
CellularOne--> Verizon Wirelsess but perhaps only a name change.)

    --John