Risk
2/19/2009
04:30 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Black Hat: Google Gears Offline Data Vulnerable

Google defends its product after a demonstration of a Web service-based attack using a cross-site scripting vulnerability.

The emergence of Web applications that function offline through technologies like Google Gears brings with it new risks: server-side attacks that can access client-side data.

In a presentation at the Black Hat conference in Washington, D.C., on Wednesday, Michael Sutton, VP of search research for Zscaler, demonstrated how a Google Gears-enabled Web service called Paymo.biz could be attacked using a cross-site scripting (XSS) vulnerability so that data stored in a user's local Google Gears database could be accessed or altered.

Paymo.biz fixed the vulnerability promptly and that's unusual. According to a study released in December by WhiteHat Security, Web sites typically take weeks or months to fix security problems.

And no matter how responsive Web sites are to security problems that get reported, the overall problem remains. "Both Gears and HTML5 Database Storage leverage client-side JavaScript to create and interact with local databases," Sutton said in a blog post on Thursday. "Therefore, if an XSS vulnerability is present, it's all too easy for an attacker to compromise the confidentiality and integrity of locally stored data by reading from or writing to the local database."

One reason it's so easy for an attacker is that vulnerabilities are so common. Over the three years from January 2006, through December 2008, 82% of Web sites had at least one security issue, according to WhiteHat Security, and for 63% of them, issues of high, critical, or urgent severity remain unaddressed.

"Google Gears is a secure technology," Sutton said in a phone interview. The problem is that a secure technology becomes insecure when connected with an insecure Web site.

And Sutton expects the use of offline browser-based storage to be more prevalent as more Web services take advantage of Gears and HTML5. For developers taking that path, he advises doing so carefully.

Google sees Sutton's research as validation of the security guidance it provides to Web developers.

"We built Gears with security in mind, and Mr. Sutton's findings do not show any vulnerabilities in Gears itself," a Google spokesperson said in an e-mailed statement. "Mr. Sutton's work does raise important points for developers who are building applications on top of Gears because, as with online Web applications, the security of local data depends on developers' thorough and careful implementation of their applications. We work hard on the security of our own applications, and we provide tools and documentation to developers to help them avoid introducing vulnerabilities like XSS into their applications."


What are some of the other key security concerns IT professionals have? InformationWeek has published an independent analysis of this topic. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.