Feeds

Google gears Gmail for PC hack attack

'Offline' web apps exposed

The Essential Guide to IT Transformation

Over the past year, dozens of web-based services have adopted new features that allow them to be used even when an internet connection isn't available. The technologies making this possible may offer plenty of convenience, but they also make end users susceptible to powerful new attacks, a security researcher warns.

So-called offline web applications are springing up like weeds, thanks in large part to Gears, an open-source project spawned by Google that allows data normally stored on a webserver to be stashed instead on end users' computers. Last month, Gmail joined the party, allowing the masses to read and write email even when they're not connected to the interwebs.

Like almost all other offline web applications, offline Gmail works by creating the equivalent of a relational database on the client PC. The result: a single cross-site scripting (XSS) error or SQL injection vulnerability on the web server is all it takes to gain full access to the contents, says Michael Sutton, vice president of research at web security firm Zscaler. He plans to discuss his findings in detail on Wednesday at the Black Hat security conference in Washington.

"It really changes the landscape from an attacker's perspective," Sutton says. "I as an end user can have a fully patched system surfing a reputable site and still be vulnerable because there is a weakness on the page I'm viewing. You are actually made vulnerable if the site has a vulnerability in it."

To prove his point, Sutton identified a SQL injection vulnerability in a time-keeping service offered by a website called Paymo. By embedding select commands into various Paymo URLs, he was able to pluck information stored on a PC that had been using the service's offline feature, he says.

Paymo promptly fixed the bug. But Sutton says the vulnerability amounts to a proof of concept for a new class of attacks that targets users of offline web services. Such "persistent client side storage" attacks, as he has dubbed them, have the potential to target victims each time they interact with a vulnerable service, he warns.

What's more, because the services are generally available to anyone for free, it's possible for attackers to have detailed knowledge of exactly how the databases are configured, an understanding that could go a long way to improving the odds of successfully exploiting the vulnerability.

"There is a real database living within your browser if you're adopting some of these newer technologies, and it's actually easier from an attacker's perspective because I don't have to guess what the structure of the data is," he says.

Because it works on Windows, OS X, and Linux, Gears is by far the most popular way of bringing offline functionality to web services. But it's not the only way websites can make such offerings available. HTML 5, which is still under development, also describes ways for browsers to have local databases that interact with websites. Apple's Safari browser has already implemented part of that.

That has led Sutton to envision a day when most internet users have a wealth of locally stored data on their PCs that seamlessly interacts with websites. Suddenly, XSS exploits - which typically allow attackers to steal only limited amounts of data, such as authentication cookies - could be used to purloin entire databases, he warns.

"These are cool technologies, and they should be adopted," he says. "But you have to understand the risk. It increases the level of risk, and you also need to increase the level of testing to secure it." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.