1 August 2002
In the 1970s, comedian George Carlin became famous with a routine about seven words one can’t say on television. Carlin’s words were all of the “four-letter” variety. But in this more enlightened age, a different category of words is posing a problem, those that can be interpreted as part of a computer scripting language like JavaScript.
JavaScript is used to give commands to a computer and is commonly used in websites to run search and other such functions. While most JavaScript is innocuous, malicious hackers can use it to run damaging programs. To combat this potential menace, over a year ago Yahoo started subtly changing the text of HTML messages sent over its free email service. (Plain ASCII text messages, which can’t hide JavaScript, are unaffected.) In all, seven words used in JavaScript were changed to synonyms that aren’t. These are:
• eval is changed to review
• mocha is changed to espresso
• expression is changed to statement
• javascript is changed to java-script
• jscript is changed to j-script
• vbscript is changed to vb-script
• livescript is changed to live-script.
The changes are made surreptitiously, without the sender’s knowledge or authorization.
But in a fit of either supreme silliness or incompetent coding, the replacement of these words doesn’t respect word boundaries. So the word medieval, which contains eval, is changed to medireview. Evaluate becomes reviewuate. And retrieval becomes retrireview. And what does Yahoo have against mocha? Well, it turns out that mocha is a JavaScript command that allows a program to enter commands into the user’s browser. (Java/Mocha, get it?)
Googling on medireview, for instance, turns up some 1,100 websites that have incorporated the “word” into their sites. A New York Times book review that is reprinted on another web site includes the sentence: “ It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down.” Evidently someone in the editorial chain forwarded the text of the Times review via Yahoo email. Book reviews are not the only thing affected, other affected sites include university course descriptions, scholarly papers, and bibliographies.
What is really odd, is that this alteration of text is utterly unnecessary. Altering the HTML tags in the script makes sense and many email programs do this (Yahoo also alters tags), but altering plain text doesn’t add security.
