Risk
2/19/2009
04:30 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Black Hat: Google Gears Offline Data Vulnerable

Google defends its product after a demonstration of a Web service-based attack using a cross-site scripting vulnerability.

The emergence of Web applications that function offline through technologies like Google Gears brings with it new risks: server-side attacks that can access client-side data.

In a presentation at the Black Hat conference in Washington, D.C., on Wednesday, Michael Sutton, VP of search research for Zscaler, demonstrated how a Google Gears-enabled Web service called Paymo.biz could be attacked using a cross-site scripting (XSS) vulnerability so that data stored in a user's local Google Gears database could be accessed or altered.

Paymo.biz fixed the vulnerability promptly and that's unusual. According to a study released in December by WhiteHat Security, Web sites typically take weeks or months to fix security problems.

And no matter how responsive Web sites are to security problems that get reported, the overall problem remains. "Both Gears and HTML5 Database Storage leverage client-side JavaScript to create and interact with local databases," Sutton said in a blog post on Thursday. "Therefore, if an XSS vulnerability is present, it's all too easy for an attacker to compromise the confidentiality and integrity of locally stored data by reading from or writing to the local database."

One reason it's so easy for an attacker is that vulnerabilities are so common. Over the three years from January 2006, through December 2008, 82% of Web sites had at least one security issue, according to WhiteHat Security, and for 63% of them, issues of high, critical, or urgent severity remain unaddressed.

"Google Gears is a secure technology," Sutton said in a phone interview. The problem is that a secure technology becomes insecure when connected with an insecure Web site.

And Sutton expects the use of offline browser-based storage to be more prevalent as more Web services take advantage of Gears and HTML5. For developers taking that path, he advises doing so carefully.

Google sees Sutton's research as validation of the security guidance it provides to Web developers.

"We built Gears with security in mind, and Mr. Sutton's findings do not show any vulnerabilities in Gears itself," a Google spokesperson said in an e-mailed statement. "Mr. Sutton's work does raise important points for developers who are building applications on top of Gears because, as with online Web applications, the security of local data depends on developers' thorough and careful implementation of their applications. We work hard on the security of our own applications, and we provide tools and documentation to developers to help them avoid introducing vulnerabilities like XSS into their applications."


What are some of the other key security concerns IT professionals have? InformationWeek has published an independent analysis of this topic. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.