3 Ways JavaScript Can Breach Your Privacy & Security

Joel Lee 31-12-2014

You’ve probably heard that JavaScript is dangerous. Well, that’s partly correct. JavaScript can be dangerous if the proper precautions aren’t taken. It can be used to view or steal personal data without you even realizing that it’s happening. And since JavaScript is so ubiquitous across the web, we’re all vulnerable.


It all comes down to how JavaScript actually works What is JavaScript and How Does It Work? [Technology Explained] Read More . JavaScript is a good thing for the most part, but it just happens to be so flexible and so powerful that keeping it in check can be difficult. Here’s what you need to know.

The Benefits Of JavaScript

First things first, JavaScript is a good thing. According to W3Techs, approximately 88.1% of all websites use JavaScript in one way or another. Most of the big name sites — such as Amazon and YouTube — would be nowhere near as useful if the Internet was a JavaScript-free zone.

For example, JQuery Making The Web Interactive: An Introduction To jQuery jQuery is a client-side scripting library that nearly every modern website uses - it makes websites interactive. It's not the only Javascript library, but it is the most developed, most supported, and most widely used.... Read More is a popular JavaScript library that makes it easy to create interactive websites with elements that can change without having to reload the entire page. Sites like Facebook and Twitter rely on technologies like AJAX jQuery Tutorial (Part 5): AJAX Them All! As we near the end of our jQuery mini-tutorial series, it's about time we took a more in-depth look at one of the most used features of jQuery. AJAX allows a website to communicate with... Read More to keep webpages up to date (e.g. timestamps, # of Likes, etc.) without refreshing the page every second.


But as we’ll soon see, JavaScript is not perfect. It can be abused, and that abuse leads to scenarios that make it possible to snoop on your Internet activity and violate your privacy.


One common yet misguided piece of advice is to disable JavaScript entirely but we don’t recommend it. You’d lose out on a lot of awesome web functionality, such as the “infinite scrolling” feature that exists on many blogs, social networks, and news sites.

But more so, some browser exploits are still possible even if you disable JavaScript. Thus, disabling JavaScript due of security concerns is like wearing a bubble suit every time you go outside because you’re afraid of getting hurt. It won’t actually protect you from much, but it will make your life miserable.

Snooping The Words You Type

In July 2012, a pair of researchers sampled data from 5 million Facebook users in America and the United Kingdom. What were they looking for? Self-censorship. More specifically, they wanted to know how often users would start writing a post but end up deleting it before it was actually posted.

They did this by embedding a bit of JavaScript that tracked the textboxes where users could make status updates, write wall comments, etc. The researchers made it clear that they only recorded “the presence or absence of text entered” rather than “keystrokes or content,” but the implication is clear.



It was possible to track keystrokes and content. They just chose not to.

The notion is a scary one. A simple chunk of embedded JavaScript is all that’s needed to record any kind of activity on a webpage — even if you don’t actually submit anything! Web scrolling, mouse movements, keystrokes: all of it can be tracked and recorded against your will or knowledge.

Tracking Your Browsing Habits

The tracking capabilities of JavaScript don’t just stop at textboxes. Through the magic of browser cookies What Is a Website Cookie? How Cookies Affect Your Online Privacy You've heard of internet cookies, but what exactly are they? What do they have to do with your privacy? Here's what you need to know. Read More , companies can store all kinds of user-specific information: browser type, preferences, location, etc. The claim is that this kind of tracking is done to offer a better user experience (e.g. relevant ads), but it still feels like a violation.


Cookies are persistent, meaning they continue to exist even after you leave the webpage or close your browser (unless they expire or you delete them manually). Do you see the growing problem? If a cookie persists from webpage to webpage, it’s possible for a company to see which websites you visit.


This is best explained with an example: social share buttons. Consider the Facebook Like button, which uses JavaScript to perform its action. When your browser loads the page, it has to load the button. Loading the button means making a request to Facebook for the necessary JavaScript file. That request includes data like your IP address,  the webpage you’re on, any Facebook cookies on your system, etc.

Just to be clear, you don’t need to click the button for it to track you. The act of loading is enough for these share widgets to gather data on you.


That being said, social share buttons are just one of many ways companies can track your browsing habits 4 Seemingly Innocent Online Activities That Track Your Behavior Read More . Other examples include online dating profiles, Disqus comments, and websites that use Google’s free web fonts How To Use Google Fonts In Your Next Web Project & Why You Should Font choice is an integral design decision on any website, yet most of the time we're content with the same old serif and sans-serif family. While the main body of text should always be something... Read More .

Malicious Code Injection

One of the most insidious uses of JavaScript occurs in the form of cross-site scripting (XSS). Simply put, XSS is a vulnerability that allows hackers to embed malicious JavaScript code into an otherwise legitimate website, which is ultimately executed in the browser of a user who visits the site.

If this happens on a website that handles sensitive user information, such as financial data, the malicious code could potentially snoop and steal that information. Taken one step further, XSS can be used to proliferate viruses and malware, which is what happened when Twitter was infected with the StalkDaily worm What's Cross-Site Scripting (XSS), & Why It Is A Security Threat Cross-site scripting vulnerabilities are the biggest website security problem today. Studies have found they’re shockingly common – 55% of websites contained XSS vulnerabilities in 2011, according to White Hat Security’s latest report, released in June... Read More .


XSS can also be used for something called search engine poisoning What Search Engine Poisoning Is & How It Spreads Malware [MakeUseOf Explains] If you thought malware popups and relentless email spam were the worst of it, think again. There’s a new contender on stage and it’s spreading malware like butter in desert heat. It’s called search engine... Read More . Long story short, malware makers can use JavaScript to infect websites with high search result rankings in such a way that users who try to visit those sites are redirected to malware-infested websites instead.

And then there’s something called a cross-site request forgery (CSRF), which is the inverse of an XSS. This kind of malicious JavaScript code can exploit a user’s browser, cookies, and security permissions in order to perform actions on a separate website.

What Can You Do To Protect Against JavaScript-Based Attacks?

Ultimately, the responsibility rests with web developers to make sure their websites are clean and secure. As an end user, however, you should always keep your browsers up to date and regularly scan for malware Stay Protected From Every Type Of Malware With Avast Free Antivirus Comprehensive malware protection doesn't need to cost a fortune. Many reputable free antivirus programs are equally effective as paid ones, and avast! Free Antivirus stands with the best Windows antivirus programs. Read More .

Here’s what to do in case you do find malware on your system 10 Steps To Take When You Discover Malware On Your Computer We would like to think that the Internet is a safe place to spend our time (cough), but we all know there are risks around every corner. Email, social media, malicious websites that have worked... Read More .

That being said, I can count on one hand the number of times I’ve run into the above problems. JavaScript is an important part of the modern web. It has done more good for us than bad and it’s here to stay. Interested in becoming a JavaScript developer Which Programming Language to Learn - Web Programming Today we're going to take a look at the various web programming languages that power the Internet. This is the fourth part in a beginners programming series. In part 1, we learnt the basic of... Read More ? Get started with these free learning resources Start Coding JavaScript Right Now With These 5 Great Free Resources Read More .

Have you ever run into any JavaScript problems? Are you practicing safe habits for security and privacy? Tell us about your experiences in the comments below!

Image Credits: Facebook Notifications Via Shutterstock, Typing Hands Via Shutterstock, Social Share Buttons Via Shutterstock

Related topics: JavaScript, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Java Guy
    August 20, 2016 at 8:54 pm

    I had to _enable JavaScript_ and allow scripts from _external domains_ multiple times to read this page about the dangers of enabling it. LOL. You are some funny guys.

    • Joel Lee
      August 29, 2016 at 8:58 pm

      Haha, that's pretty funny. Unfortunately (or fortunately, considering my lack of web dev knowledge) the tech stack we use for our site is beyond me!

  2. Doc
    January 1, 2015 at 12:20 am

    NoScript for Firefox is one of the best things you can do to protect your PC (but it's no substitute for antivirus!) I only whitelist the sites I trust, including the third-party scripts like jQuery that so many sites load.
    ScriptSafe for Chromium-based browsers is a good equivalent; I don't know of a similar addon for IE...

    • Joel Lee
      January 6, 2015 at 5:41 am

      Thanks for the suggestion and equivalents. I wonder if we'll ever return to a phase of the Internet where adblockers and scriptblockers are no longer necessary. Probably not.

  3. Gmale
    December 31, 2014 at 10:40 pm

    I use the Noscript plugin for Firefox and middle-click the icon until the functions I require are loaded -- like the Disqus comments function, for example. I really miss the simplicity of the web circa 15 years ago. Now, I have to install a dozen plug-ins to make things bearable and semi-secure/private.

    • Joel Lee
      January 6, 2015 at 5:40 am

      There are some who think the concept of NoScript is unethical but it's hard to deny that it offers something that many people find valuable. Also, that complexity you describe is one reason why some people say that JavaScript is the worst thing to happen to the Internet. The 90s was such a simple decade on the web, wasn't it? :P

    • Gmale
      January 8, 2015 at 1:31 am

      I notice a lot of websites detect the NoScript plugin, then, go on to provide a sane alternative to the overcomplicated version which would normally get loaded!
      Yes, the 90's web was a far simpler thing to navigate - anyone could build a respectable website using only Notepad, or Frontpage!