AJAX has built in security features to prevent cross domain requests. This creates a problem for enthusiastic web developers that want to create certain robust web applications (like mashups). The solution? Hack up AJAX to do what you want by removing those annoying security features.

That’s the rout that many gung-ho web developers have gone . . . including Google.

But hold on a second! Weren’t those security features built in for a reason? Like for, umm, security or something?

This issues is tackled in Gnucitizen’s article, Google Search API Worms:

Google, one of the biggest AJAX evangelist today, provides JavaScript APIs to allow developers to mashup their services with Google’s enormous capabilities. As a result Google unconsciously enables various types of worms to craw and exploit the web.

Web worms can use Google’s infrastructure to propagate. If a malicious mind finds a vulnerability in WordPress for example and this vulnerability allows SQL Injection, a worm may be written to craw blogs in search for this vulnerability and embed itself into everything that is vulnerable. Once a user visits an infected blog the worm starts another cycle.

Another worm might be able to craw random sites and run generic Cross-site Scripting and SQL Injection checks and send the results to their master who will use them to release more advance worms.

It hasn’t happened yet but it appears to be vulnerability according to Gnucitizen. One worm we covered on seoblackhat was the sammy myspace worm.

Also, I like the Icon that Gnucitizen uses for Google; “The Google Grid” shot is taken from the famous Googlezon video. Good stuff!