Top
Browse > Home / Articles / Uninvited Javascript!

Uninvited Javascript!


Having recently blogged an entry on the threat of poisoned websites, I logged on to techgripe.net over the weekend only to find that an additional piece of JavaScript was trying to execute!

How did I find this? Via a very useful Firefox add-on called NoScript. If you don’t use this I highly recommend it - it really does show you what scripts are attempting to run, as well as allowing you to pick & choose which scripts (if any) you will permit. (A security consultant colleague of mine put me onto this.) Another excellent add-on is FireBug which is much more extensive in revealing what’s going on in the code (aimed at web developers) - this revealed the actual content of the script.

This is how the NoScript pop-up shows techgripe.net normally:
Picture 1

However, when I logged on over the weekend, there was an additional entry for “1.2.3.4”!
Picture 2
Obviously I know my site pretty well and I know what scripts should be running on each page. Oh ^#$%^$!, I thought… my site has been infected! But fortunately (I think) it turns out to be a little more benign…

Apparently, if you are on a wireless network (which I was at the time) some providers (in this case Vodafone) employ the assistance of ByteMobile’s “Embedded Browser Optimisation”. Which, as far as I can see, involves injecting a JavaScript (via their transparent proxy) that minimises traffic on their Network - the script appears to do such things as optimising html and lowering image quality on images. If the script does run, the refresh speed of a particular page can be faster, but often the bitmaps/pictures on the page will look terrible. Here’s what you will see embedded early on in the page source (if you use Firefox and NoScript):

Picture 3

Note the addition of <script src=“http://1.2.3.4/bmi-int-js/bmi.js”language=javascript“></script>. Also Note that http://1.2.3.4/ cannot be accessed on the open Internet. The actual script that runs looks like this (not complete):
Picture 4
As you can see, there is specific optimisation for different browsers. And apparently, ”Shift+R improves the quality of this image. CTRL+F5 reloads the whole page.“ What’s even more confusing is that it seems to depend which ‘cell’ you connect to i.e. sometimes it doesn’t happen. Why? Not sure yet - possibly the optimisation is dependent on other variables as well, such as connection speed etc.
One might argue that actually, this is quite clever and in general, is a good thing. However, I have a couple of problems with it:
(1) Disclosure - I believe the provider should be clearly publishing the fact that it uses optimisation technology - this way at least the more security-aware users can at least understand what they should expect to experience when using the network in question. Initially, I had no idea this was happening.
(2) Risk - if the Network Provider itself is injecting optimisation scripts so easily under the radar, what else are they doing? More concerning though, what if the transparent proxy service itself was compromised? The whole install-base of mobile clients are instantly vulnerable!

The bottom line is:

  • Be aware of what’s going on as you browse! Use Firefox and NoScript/FireBug (or equivalents) wherever possible.
  • Don’t assume that well known sites are safe - they may not even know that if/when they have been compromised.
  • If you run a website, be diligent about knowing what scripts your site should be running. If something unusual appears, check it out thoroughly!

Originally from TechGripe! by Brett Ryland (30 July 2007).

Bottom