A pervasive vulnerability that allows an attacker to take over any Web browser and silently intercept sensitive data input occurs in Web 2.0 settings from Yahoo to ASP .Net to Google, security firm Fortify says.
Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.
Of the AJAX frameworks and client-side libraries Fortify inspected, only DWR 2.0 (Direct Web Remoting 2.0)
in early March.
According to Fortify, the other AJAX frameworks dont explicitly provide any protection, nor do their documentation materials mention the vulnerability as a security concern.
"The attacker can put code in a Web page," he said. "If he can trick you into running it in your browser, your browser can look like you and act like you, but its not you; its actually shoveling data back to [the attacker]."
The problem specifically lies in JSON
The text-based, human-readable format for representing objects and other data structures is mostly used to transmit structured data over a network connection.
Yahoo began offering some of its Web Services optionally in JSON in December 2005, and Google started offering JSON feeds for its GData Web protocol in December 2006.
Finding a way in.