Blogger can have javascript embedded?

Leave a comment

18 Dec 2008 by Sonvir Singh Attri

Hi folks,

I guess other people knew this, but I did not. It turns out that if you own a blog, using the new version of Blogger, you can embed javascript, by adding Page Elements in the layout screen.

What this means is that, if you wanted to, you could embed exploits. Now, to be fair, it’s only in your own blog, and an exploit might get shut down pretty quickly, but on the other hand, some exploits are pretty subtle, and some will not be noticed until long after someone has surfed off somewhere else. And, of course, if it’s a rootkit, it might not be noticed at all. So far we have not found any overt exploits, but we do keep finding obfuscated automatic redirects to bogus search engines or porn pages.

How it works is this … They first go to the trouble of setting up a fairly legitimate looking page. Probably they just “borrow” one from a legitimate site, such as Royal Caribbean Tours. This ensures that when the google bots come to index them, they will have lots of good keywords to be indexed on. Then, by adding a small javascript, they automatically redirect any visitors to the real target. I guess they consider that it’s marketing, but being the kindest that you can, it’s bait and switch at a minimum.

Naturally, we’ve taken the precaution of preemptively blocking those scripts, but it’s easy to see how that school teacher recently got into trouble for having porn on the computers under her control.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

December 2008
« Nov   Jan »


%d bloggers like this: