Here's another discovery that once again proves the popular adage that technology is both a boom and a bane. Security researcher Aaron Weaver has found a way to spam your printer from the Web.Building on the concept of cross-site scripting, whereby an attacker can inject malicious code in Web pages viewed by others, Weaver has demonstrated how a hacker can inject spam messages into a Web site visitor's printer.For a cross-site printing attack to work, a victim would have to visit either a malicious Web site or a legitimate page that suffers from a cross-site scripting flaw, which is a common type of Web programming error. The hacker would then sendJavaScript code to the browser that would guess the location of the victim's printer and send it a print job. The Web site could print annoying ads on the printer and may even issue more dangerous commands, like telling the printer to send a fax, format its hard drive or download new firmware.The attack is derived from techniques employed in a project called hacking network printers by Adrian "Irongeek" Crenshaw. The security researcher working with a financial firm, notes that most network printers listen on port 9100 and that you can telnet to port 9100, type text, and, once you disconnect, the text will print remotely.Weaver writes "within the last year there have been new discoveries on attacking the intranet from the Internet. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the 'image' resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings."Weaver has launched the attack successfully on both the Internet Explorer and Firefox browsers. However, since the attack works only on network printers, a printer plugged directly into a PC would not be vulnerable.Weaver offers two ways to defend against this attack: Set an administrator password for your printers and consider restricting access to the printer so that it only accepts print jobs from a specific server.Weaver's research is available in a paper published on the Ha.ckers.org Web site.