When you finish your online banking or shopping and make your way to another Web site, your browser may leave sensitive information dangling vulnerably from your pocket.
That's thanks to openings in common browser scripting languages - namely JavaScript and VB Script, used in Internet Explorer and Netscape Navigator - that don't always tidy up after dishing out sensitive information.
But a new proposed security method - which would be implemented in the form of a "safe interpreter" in browser software - from Bell Labs is meant to ensure sensitive information submitted through Web forms is not open to use by scripts encountered in subsequent Web browsing. Potentially sensitive information includes social security numbers, credit card numbers, and email addresses.
"This is essentially a framework which we hope will let us implement safe interpreters and improve scripting languages," said Bell Labs researcher Vinod Anupam.
Though a good deal of these openings have been addressed in the latest 4.0 versions of the browsers, Bell Labs, which initially called attention to these and other flaws last year, is proposing a more comprehensive method to make the use of scripts on the Web safer.
The research arm of the New Jersey-based company has presented a method for dealing with the issue it hopes to see implemented by browser companies or other software vendors.
Anupam and Alain Mayer, also of Bell Labs, presented their technique at the USENIX Security Symposium in San Antonio today. The researchers have uncovered browser flaws before.
Despite fixes in the latest browsers that address some scripting security issues, Anupam said the security method they propose adds important flexibility that lets a script control which Web sites can interact with a particular script and the information it handles.
"To be totally fair, some of these things have been fixed already in the latest versions of the browsers," Anupam said. "But there are all sorts of little niggling things that haven't been."
He says that sites and scripts that share the same domain but different owners - such as different "stores" within a single virtual mall - can access sensitive information provided to other stores on the site.
Other sensitive data issues addressed by the proposed safe interpreter include "referrer field" information, which tells one site the address the browser last visited; email addresses used as anonymous passwords; and unpurged "state" information that can be exchanged between two unrelated scripts.
"Our overall goal," Anupam said, "was to come up with a system where a user who browses with scripting languages does not feel any more vulnerable than someone browsing without."
He said Bell Labs has not yet heard from Microsoft, Netscape, or other companies on the proposal, but he expects feedback after the technique is circulated.
