Firms hoping that Web 2.0 technologies may be more secure than current web applications, were dealt a blow today as security firm Fortify Software announced that it had found an industry-wide critical flaw in the JavaScript programming language.

Termed ‘JavaScript Hijacking’, the flaw allows unauthorised attackers to read sensitive data contained in JavaScript messages. Fortify has released a security advisory detailing the flaw - which uses a <script> tag to circumvent the Same Origin Policy (SOP) enforced by web browsers.

SOP was introduced in Netscape Navigator 2.0 to prevent documents or scripts loaded from one website inheriting properties of documents loaded from a different website. Of the 12 most popular AJAX frameworks surveyed, Fortify determined that only one, Direct Web Remoting (DWR) 2.0 implemented mechanisms that prevented JavaScript Hijacking.

WhiteHat Security CTO Jeremiah Grossman said, “New technology is bound to bring new vulnerabilities, so developers need to look carefully at their development process to ensure that they take security into account when they break new ground.”