By not validating user input, major Web sites are opening themselves up to the loss of sensitive customer data.

E-commerce, the buzzword of the new millennium, is changing the way we do business. Nothing can beat the convenience and discounts that can be found on the Internet. Then again, if these e-commerce sites don't mend their ways, they might be giving out more then just cheap airfares and cut-rate deals. They could be sending your sensitive data to a malicious user without your permission, and without their knowledge.

KeyLabs tests have verified a security problem that based on our research is affecting about one third of the Internet's biggest Web sites. Because of lax security, these e-biz sites are allowing malicious JavaScript and ActiveX scripts to be run from their site.

So, once again, it's time to remind you to tighten your security belt because we might be in for a rough ride.

How it works

A BugNet reader submitted this after he had tested this security vulnerability on a number of Web sites. We are surprised, not only with the ease of this exploit, but also with the pervasiveness of the problem. Our examination revealed that some of the biggest and well-known Web sites exhibit this vulnerability. The exploit is based on a flaw in the way Web sites handle user input allowing a malicious user to execute a rogue script from a legitimate site.

The problem is that these Web sites don't properly screen user input. So, if you searched for the phrase "", the Web site will try to get your browser to execute the JavaScript alert command. With JavaScript enabled in your browser, you will get a message box on your computer that says "Hello." This example could easily be expanded to copy files, or even cookies off your computer.

What's At Stake?
Using this vulnerability, a hacker could send out an e-mail message containing a specially constructed hyperlink to their victims. When the victim clicks on the link, his or her private "cookie" can be stolen. This would allow the hacker to retrieve personal information about the user, including the contents of his or her shopping cart.

This could also potentially give the hacker the ability to impersonate the victim online, and gain access to his or her credit card information.

Depending on the victim's security settings, this same vulnerability would allow the hacker to run rogue ActiveX controls on the victim's machine, bypassing all the usual security safeguards. This vulnerability also defeats the cross-domain security controls present in all popular browsers.

KeyLabs tests have verified the vulnerability on over 20 of the largest and most well-known Web sites. To test other sites for yourself, you can copy and paste the "Hello" JavaScript ("") into a search field on your favorite website. If the site isn't appropriately parsing its search strings, you will get the "Hello" message box on your screen. If this happens, then it's time to complain to their support departments. KeyLabs test showed that both Netscape and IE will exploit this security breech, but we want to reiterate, this is not a browser bug. It is a bug in the custom code used to grab and process user data.

Still there are things that you can do.

What you can do

As an Internet user, first test to see if your favorite sites are affected by this vulnurability. Perhaps your biggest defense against this vulnerability is to disable scripting altogether. Even with some of the recent browser security patches, you will still be vulnerable to malicious code as long as you have JavaScript and ActiveX enabled. Unfortunately, we don't see this as an option for too many people since scripting has become synonymous with browsing the Internet.

Something else you might try with Internet Explorer is disabling script execution for all sites except those that you have personally tested. For example, KeyLabs tests have found that Amazon is immune to this exploit, so you can put Amazon in your trusted sites list.

What Web designers must do
For Web developers, the solution is clear. You MUST validate user input. When building a Web site, validating user input is sometimes the last thing you think about. Two quick methods for eliminating this problem from your Web site include 1) limiting the size of your user input fields, and 2) permit only letters and numbers (no special characters that are common in JavaScript tags).

O'Reilly has a site with good information on protecting your Web site. Their World Wide Web Security FAQ contains practical steps on protecting your site against this kind of attack.

This new exploit supports the notion that maybe scripting shouldn't have free reign of your system after all. Before, we were just so excited with all the cool things JavaScript and ActiveX could do that we never stopped to evaluate the danger of this new technology.

Regardless of what you decide to do, one thing is clear; this vulnerability has just opened up a source of liability for Web site owners. If they can't ensure the security of their customers' personal information, at best they will lose customers. At worst, they will get sued for violation of trust.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.