Why is loading some Javascript from jalbum.net a "major security risk?" It's the same as using Google Analytics, which loads Javascript from Google.

If you don't want to use widgets, go to Album > Settings > Advanced > Metadata, and uncheck "Include Jalbum widget support."

That one. Jalbum Assistent verwenden.

If you're that worried about it, you should probably disable Javascript on your machine. In fact, you probably shouldn't be connecting to the Internet at all.

on a unix-webserver this command removes all the exiting calls of load.js:

grep -rl http://jalbum.net/widgetapi/load.js *|xargs sed -i -e 's/http:\/\/jalbum.net\/widgetapi\/load.js//'

@SkiFreak:
what's the difference between Your post and the last from EarlyOut ? who was that guy who once said: "everything's been said, but not everyone has said it yet"

anyway to make my point more clear:

• turning of javascript in my browser doesn't protect the other viewers of my albums
• jalbum.net/widget load.js is not needed for me so it is practically a web-bug (http://en.wikipedia.org/wiki/Web_bug)
• further it puts all dear friends which look at my ablums at risk of someone infecting their PCs with malware for no use. all those people will call me if that happens and for some chitchat.

if this is all new to You please read:

http://www.zdnet.com/blog/security/businessweek-site-hacked-serving-drive-by-exploits/1902
http://isc.sans.edu/diary.html?storyid=4405
http://news.techworld.com/security/101475/new-attacks-break-500000-websites/

ok, that jalbum plants a web-bug might be considered a minor thing, but have you read the rest of my posting which you're not quoting?


the hard thing is that it took me years to accidentally find out that it is there at all. and it is bad security to have useless things enabled on default. that's what made microsoft products really insecure 5-10 years ago until they changed that habit, f.e. not running on open IIS on default. the worms code red and nimba where so successful back then because every ms-server had IIS running, even if it was just a SQL-server. that's not the case any more, ms has learned that lesson, jalbum not yet.


hahaha, with that logic You could include a php-shell with every generated jalbum by default and if someone complains say: "you could have turned it of, what's so hard about that?".

please read the 3 links in my posting above. there are real people out there which earn money with hacking websites and load.js would be a very attractive target for them.

or ask anyone who's a bit into it-security if it's a good practice to include a central js-script, regardless of if it's needed, into thounsand/millions of web-albums.

Have you been using Jalbum for years?
It looks like you just signed up, but maybe I am wrong...

as i've said before i wished it wouldn't have been enabled in the beginning and turning it of didn't magically fix it for all the albums created in the past.