February 4th, 2008

MySpace: Caja JavaScript scrubbing ready for prime time

Posted by Larry Dignan @ 9:01 pm

Categories: Exploit code, Google, Responsible disclosure, Viruses and Worms, Vulnerability research

Tags: Security, Web, JavaScript, MySpace, Caja, Here, Larry Dignan

MySpace is rolling out its development platform, but perhaps more notable is the social network site’s use of Caja, a JavaScript scrubbing tool to make sure third party applications and content are safe. In addition, MySpace is implementing other security processes.

Kyle Brinkman, vice president and general manager of the MySpace Developer Platform, said MySpace is likely to be the first large implementation of Caja–a technology developed by the social network and Google. The MySpace Developer Platform launched on Tuesday.

The general idea behind Caja, which will be included in Google’s OpenSocial code, is to scrub JavaScript and prevent malware. The tools can’t come soon enough. Third party social applications are a security disaster waiting to happen. Meanwhile, there has been little formal testing of these third party apps. Take vulnerable software, couple it with a social network and you have hacker paydirt. For instance, ActiveX controls have been a major security headache (MySpace doesn’t support ActiveX).

Here’s how Google describes Caja:

The computer industry has only one significant success enabling documents to carry active content safely: scripts in web pages. Normal users regularly browse untrusted sites with Javascript turned on. Modulo browser bugs and phishing, they mostly remain safe. But even though web apps build on this success, they fail to provide its power. Web apps generally remove scripts from third party content, reducing content to passive data. Examples include webmail, groups, blogs, chat, docs and spreadsheets, wikis, and more.

Were scripts in an object-capability language, web apps could provide active content safely, simply, and flexibly. Surprisingly, this is possible within existing web standards. Caja represents our discovery that a subset of Javascript is an object-capability language.

According to Brinkman, Caja is designed to “maximize the capability and minimize the exploit.” Brinkman added that MySpace is among the first big deployments of Caja, which is designed to shut down a host of attack vectors. “Caja takes technology that was a computer science project and turns it into engineering project,” said Brinkman. “The goal is to make JavaScript safer.”

MySpace is hoping that security will be a big selling point for its third party applications. To that end, third party applications developed for MySpace will endure Caja and a “safety review process” before going live. These security processes are long overdue–especially if these third party Web 2.0 toys are ever going to become enterprise class.