Worried password_leak_hehe.js is going to spill your precious beans? Well, never fear...
These errant libs could have been badly designed, poorly implemented, deliberately written to be malicious, or compromised by hackers tampering with the source code.
In a paper [PDF] published this week in Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, the COWL team notes that 59 per cent of the top one million web sites, and 77 per cent of the top 10,000 web sites, ranked by monthly traffic in the US, incorporate jQuery – the official site for which was just infiltrated by miscreants, although the library code was not altered.
Perhaps developers simply shouldn't use unaudited or sketchy-sourced code in production, but the team's point is that the use of third-party libraries is prevalent – and this is a security risk. There's also the irony of third-party software protecting coders from third-party software.
COWL, which will be available as a free download from October 15, adds a DOM-level API to Firefox and Chrome. This software interface is then used by web developers to ensure that data is only shared with servers behind named domains – and thus not with any other machines.
An example is given here. The team reckons its API is easy to use, and claims it doesn't reduce the browser's processing speed in an appreciable way.
To test this the team built four web apps using the COWL API: an encrypted document editor, a third-party mashup application, a password manager, and a website that includes jQuery. Using COWL did not slow the browser significantly beyond 16 milliseconds, we're told.
How it works
"What our system does is not check while the system is executing, but at the boundaries between browsing contexts. COWL's checks only happen when there is communication between these contexts."
COWL was developed by Karp and a PhD student at UCL, who is now working at Google, along with Professor David Mazières from Stanford University's computer science department and two of his PhD students working in collaboration with Mozilla Research.
Karp said Mozilla and Chromium were targeted by COWL because they are both open source. Safari, which uses Webkit in the same way as Chrome, should also be usable with COWL, but couldn't speculate on Internet Explorer's internals for COWL.
"What we've achieved in COWL is a system that lets web developers build feature-rich applications that combine data from different web sites without requiring that users share their login details directly with third-party web applications, all while ensuring that the user's sensitive data seen by such an application doesn't leave the browser," said Deian Stefan, lead PhD student on the project at Stanford.
"Both web developers and users win."
Only once the code is released, scrutinized, and others cannot find ways of leaking data from COWL's contexts, can we be so sure. ®
Sponsored: Becoming a Pragmatic Security Leader