Risk
2/19/2009
04:30 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Black Hat: Google Gears Offline Data Vulnerable

Google defends its product after a demonstration of a Web service-based attack using a cross-site scripting vulnerability.

The emergence of Web applications that function offline through technologies like Google Gears brings with it new risks: server-side attacks that can access client-side data.

In a presentation at the Black Hat conference in Washington, D.C., on Wednesday, Michael Sutton, VP of search research for Zscaler, demonstrated how a Google Gears-enabled Web service called Paymo.biz could be attacked using a cross-site scripting (XSS) vulnerability so that data stored in a user's local Google Gears database could be accessed or altered.

Paymo.biz fixed the vulnerability promptly and that's unusual. According to a study released in December by WhiteHat Security, Web sites typically take weeks or months to fix security problems.

And no matter how responsive Web sites are to security problems that get reported, the overall problem remains. "Both Gears and HTML5 Database Storage leverage client-side JavaScript to create and interact with local databases," Sutton said in a blog post on Thursday. "Therefore, if an XSS vulnerability is present, it's all too easy for an attacker to compromise the confidentiality and integrity of locally stored data by reading from or writing to the local database."

One reason it's so easy for an attacker is that vulnerabilities are so common. Over the three years from January 2006, through December 2008, 82% of Web sites had at least one security issue, according to WhiteHat Security, and for 63% of them, issues of high, critical, or urgent severity remain unaddressed.

"Google Gears is a secure technology," Sutton said in a phone interview. The problem is that a secure technology becomes insecure when connected with an insecure Web site.

And Sutton expects the use of offline browser-based storage to be more prevalent as more Web services take advantage of Gears and HTML5. For developers taking that path, he advises doing so carefully.

Google sees Sutton's research as validation of the security guidance it provides to Web developers.

"We built Gears with security in mind, and Mr. Sutton's findings do not show any vulnerabilities in Gears itself," a Google spokesperson said in an e-mailed statement. "Mr. Sutton's work does raise important points for developers who are building applications on top of Gears because, as with online Web applications, the security of local data depends on developers' thorough and careful implementation of their applications. We work hard on the security of our own applications, and we provide tools and documentation to developers to help them avoid introducing vulnerabilities like XSS into their applications."


What are some of the other key security concerns IT professionals have? InformationWeek has published an independent analysis of this topic. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.