2008/08/01
Labels: with, js, sitemeter-problems-with-ie, sitemeter, website, ie, security, javascript, webmaster, problems
I recently wrote a security advisory for one of my clients. A clever engineer had used a javascript from googleapis.com on an intranet website, along wih some extra javascript to solve the problem of Confluence's global setting for camelcasing. Camelcasing may be necessary with legacy content, but it can be aggravating to newer users who are posting source code, which frequently has a lot of camel cased variable names. With this javascript, the engineer could make false links to uncreated camelcased variable and procedure names just disappear on his pages.
I had to sound the alarm though. Everytime someone views his page, it would cause the users browser to request the .js from googleapis.com, and potentially leave the url of the wiki page (which is similar to the title of the wiki page) in the referrer logs at googleapis. Wiki page titles can be very informative, and should not be freely sent to the logs of external websites.
This morning another client was paniced and wrote me:
 | From: Tom tom@tom.tom Sent: Saturday, August 02, 2008 6:49 AM To: Garnet R. Chaney Subject: Web Site down - HELP Garnet, HELP!
|
Uh oh. First thought: "Someone got hacked. Hope it wasn't my server." I discovered that his home page would load in Firefox, but not IE. I sent him an email asking him if he had a previous version of his homepage to try. I then went a little further, and this is what I found:
 | From: Garnet R. Chaney Sent: Saturday, August 02, 2008 7:44 AM To: Tom Subject: RE: More Info on Site Down I googled: I just found this page: I'd suggest removing sitemeter for the moment. They may be having a problem on their servers... I tried going to the sitemeter.com home page, and their site is doing the same thing. |
Some of my older sites with sitemeter links aren't showing a problem.
In general this is the same problem I warned the engineers about with their intranet wiki. Not only do you leak information when you include extranet javascripts in your site, you have no control over what javascript those untrusted sites are serving to be included with your site. Right now, thousands, if not hundreds of thousands, of websites are being broken by sitemeter's oops. It's amazing they don't seem aware that their change broke their own home page! This points to incredibly poor quality assurance on their part. And hundreds if not thousands of webmasters and their ISPs fielding tech support messages of "My site is broke! What is wrong with your server."
Judging by the timestamp on various messages around the net, sitemeter has been causing this problem for at least 24 hours. For their credit, I've used them for many years and never seen this kind of problem before. But I probably wouldn't have noticed this problem if my client hadn't alerted me. For sitemeter's loss, the word is spreading to thousands of webmasters that they can fix their sites by removing the sitemeter code. Those webmasters are then sending their friends messages "Yup... That was it. The site meter was crashing it. All is well now." Too bad for sitemeter, it can take years to build up a large user base, and only 24 hours to lose a big chunk of it.
Be very careful about including other people's javascript on your own pages. They are a lot like boxes of chocolates, you never know what you might get.
