Alert to the dangers of JavaScript

03 Apr 2002

  • Tweet this item
  • share this item on Linkedin

"The simple way to stop it is to disable JavaScript in your browser’s settings. This will stop all sort of hassle, including pop-up, -under and –after windows. But it also stops many web pages displaying properly. The ideal is a browser that lets you decide what JavaScript attributes to allow. Netscape’s new Mozilla browser does allow some of that filtering. On the Macintosh, the iCab browser (www.icab.de) lets you decide exactly what you will allow globally, and to filter sites by their behaviour. Even so, it’s certain that Brendan Eich never imagined that his invention would be used to create persistent porn sites."

Article in Independent Review – Monday 1st April 2002

'Not an April Fool – a fairly strident alert to the dangers of JavaScript – and an indication as to why it is disabled extensively' Philip Sheldon

The pop-up porn pest - Is pornography hijacking your homepage?

When Brendan Eich invented JavaScript, he unwittingly opened a computerised Pandora’s box that allows sites to control your desktop. Charles Arthur reports:

If you’ve done any web surfing lately, you’ll have come across the now-infamous ‘pop-ups’ – adverts that appear in their own little window separate from the one you’re viewing stuff in. Added to their ranks are ‘pop-unders’ (which appear under the window you’re looking at) and ‘pop-afters’ (which appear when you close the window you were looking at).

Some people, though, have found that mistyping a web page address has resulted in them ending up at porn sites – and that, mysteriously, the site becomes (very much against their will) their home page, no matter how much they change their browser settings.

The culprit in all these cases is a language called ‘JavaScript’, which, in theory, extends web browsing to make it possible to do much more with a web page than HTML ever could. It was invented in 1995 by Brendan Eich, a newly arrived employee at Netscape – which, of course, had the commercial monopoly on browsers at that stage of the Internet revolution.

Its first appearance was in December 1995, on Netscape Navigator 2 where it was called JavaScript 1.0; although during its development it was called LiveScript. But then Sun Microsystems began to preach the virtues of its Java language, a write-once, run-anywhere method of coding, and Netscape saw that there were benefits in having people think that the two were connected. (They aren’t, in fact).

If you want to see some JavaScript, go to almost any page, bring up the ‘source’ (the raw HTML) and look for the content between ‘fl’ and ‘(++)’ (two + signs vertical). Early browsers treated anything there as a comment, to be ignored; later ones look for JavaScript in there, too. If you’re not into programming, it’ll just look like random letters and numbers. But to your browser, it’s meaningful.

Predictably enough, when Microsoft entered the browser wars in 1996, it brought along its own version of JavaScript, which it called Jscript. But there is a standardisation body: JavaScript comes under the wing of the European Computer Manufacturers’ Association (ECMA), and versions that match its agreed standard are also called ECMAscript.

So what can JavaScript do? The list has expanded with every release (it’s just about to reach version 1.4). At first it was simple things like changing the appearance of something on the page when you put your mouse over it (a ‘mouseover’ event). Later versions enabled it to resize browser windows, open new windows and write cookies (the little text files that tell sites if you’ve visited them). Ingenious JavaScript writers could even add their site as a bookmark on your browser, or make it your homepage.

And some web designers realised they could go a lot further: that they could alter the registry on Microsoft’s Windows operating system. The registry holds all sorts of details about the configuration of your machine, and gets accessed every time you start up; any programs in there get run.

So who uses JavaScript to alter the registry? Porn sites. People who had planned to visit a site called ‘mypcworld.com’ and mistyped it as ‘mycpworld.com’ found themselves at a porn site intentionally set up to catch just such a misspelling. Worse, it hijacked their homepage. Resetting their homepage in the browser didn’t help – every time they restarted the machine it would go back to that porn page.

In the end, the unfortunate users had to manually edit their registries to delete any reference to the cuckoo program that was altering their browser’s homepage each time they restarted.