Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attacking Local Browser Storage

Posted by CmdrTaco on from the ripe-for-pwnage dept.

CrazyCanucklehead writes "At the Blackhat security conference in Washington, DC, researcher Michael Sutton has detailed how common XSS flaws in web applications employing (Google) Gears and HTML 5 Database Storage can leave local databases wide open to attack. This comes just as Gears is starting to take off, and just yesterday Google demonstrated a beta version of offline Gmail on phones, thanks to HTML 5 support in WebKit-based browsers, such as those used by Android and the iPhone. Sutton drove home the point by walking through a real world example on commercial site Paymo.biz, which has thankfully since been fixed."

28 comments

  1. Doing everything through the web is dumb by Gizzmonic · · Score: 5, Funny

    Why do we need to do spreadsheets or word processing through the web? It's a dumb idea. AJAX stuff will never be secure, especially compared to local applications. I hate the idea of "the cloud." I wish the Internet would go away, maybe then my fat girlfriend wouldn't have found that other guy on WoW. I hate you Internet!

    --
    (-1, Raw and Uncut is the only way to read)
    1. Re:Doing everything through the web is dumb by mcgrew · · Score: 1

      Well, I don't need it and you might not either, but I can see someone with a web-enabled cell phone, a laptop, and a box at their home wanting to access their stuff from anywhere. Say I kept my check register online, I could update it any tome and who would want to access it?

      Or for taking notes or something.

      --
      Free Martian Whores!
    2. Re:Doing everything through the web is dumb by phantomfive · · Score: 1

      Of course, since local applications have always been super-secure. (sarcasm).

      I have no problem with security, since I have coded my own browser, called froam, that runs each page in a separate process in a separate VM, then for safe keeping, I store the data from each thread in a separate hard drive. The storage costs are getting expensive but it is all worth it knowing I have out-microsofted microsoft at their own game. (Ha! and each desk has its own chair! Take that Balmer!!)

      Whatever.

      --
      Qxe4
    3. Re:Doing everything through the web is dumb by Anonymous Coward · · Score: 0

      Lots of stuff for which it comes in handy. Working collaboartively on a paper... it sure beats the back and forth of document files particularly when more than 2 people are involved. You may very well only use the web interface for "content" and do a final polished version, but it sure helps the collaborative writing phase. Particularly as it permits instantaneous collaborative edits.

      Same goes for putting togetehr marks of students when you have multiple TAs for a class. Sure beats the last minute back and foth trying to find out where everybody is, and the ever present "did you edit this version of the spreadsheet? Wasn't this the final list" etc. etc.

      Again, collaboration between 2 individuals may not require it, but start adding people to your collective effort and in some cases it's a must. Synchronization of individual copies just don't always work.

    4. Re:Doing everything through the web is dumb by Anonymous Coward · · Score: 0

      You never had a girlfriend. You're a liar. Why are you lying?

  2. Yeah, this wasn't basically obvious? by Giant+Electronic+Bra · · Score: 2, Insightful

    In essence it isn't a NEW vulnerability, just whenever javaScript can do some new thing on your browser then hey presto! So can someone else's javascript do that marvy new thing. Just proves that XSS attacks live on, and always will.

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    1. Re:Yeah, this wasn't basically obvious? by LDoggg_ · · Score: 1

      Sure, someone else's javascript can do that marvy new thing if you're dumb enough to include their javascript in your page.

      --

      "If they have both, tell them we use Linux. And if they have that, tell them the computers are down." -Dave Chapelle
  3. There goes my great plan.. by dave562 · · Score: 4, Funny

    ..to develop an app for the IRS that would allow their agents to take work home on their mobile phones. I guess they're just going to have to do things the old fashioned way and lose laptops with the data on it.

  4. I don't get it by quickOnTheUptake · · Score: 1

    The article wasn't clear to me. How was this code getting executed? It looked like it was being put into the original document (like edit the source and reload from cache, in which case the result seems like normal behavior to me).
    Did anyone get the details of how the demo attack was being carried out?

    --
    Mod points: Guaranteed to remove your sense of humor.
    Side effects may include gullibility and temporary retardation
    1. Re:I don't get it by LDoggg_ · · Score: 1

      It was not clear at all. It looked like they logged in to paymo and started messing with javascript on the page. Anyone could do that with firebug and hose their own account if they wanted.

      Where was code being executed from another site to cause problems with someone else's account?

      Did the article have a problem with loading potentially harmful javascript code from google's server?

      --

      "If they have both, tell them we use Linux. And if they have that, tell them the computers are down." -Dave Chapelle
  5. Top posting but by Anonymous Coward · · Score: 0

    Why is every story showing "0" comments on the front page?

    *posting anon obviously.

    1. Re:Top posting but by Vectronic · · Score: 1

      I think it's Taco's way of making himself feel special, seems to be only during his "runs" of articles...

      Perhaps its a test, to see if articles with 0 submissions get more clicks, dunno...

    2. Re:Top posting but by Anonymous Coward · · Score: 0

      First Post!!!!

      Oh wait...

  6. Slashdotted Comments by Flyin+Fungi · · Score: 1

    Slashdot's Storage must of been attacked! I still see zero comments on stories.

  7. Javascript DB connection == EVIL by Foofoobar · · Score: 2, Informative

    Why would anyone connect to a database from a javascript where everyone can view your connection and play with it at will just by building a custom script? Database calls should be controlled through a backend... especially when delivering via the web.

    Even binary desktop apps connect to the server that gets that data and generally don't do DIRECT database calls. Client side database calls are just a bad idea no matter what language you use and what platform you are developing for.

    --
    This is my sig. There are many like it but this one is mine.
    1. Re:Javascript DB connection == EVIL by LDoggg_ · · Score: 1

      This isn't javascript connecting to a remote database. This is javascript talking to the local database built into HTML5 for local storage. No worse than making elaborate cookies unless the database for some reason is capable or executing things outside of its sandbox.

      --

      "If they have both, tell them we use Linux. And if they have that, tell them the computers are down." -Dave Chapelle
  8. You don't get it do you? by SmallFurryCreature · · Score: 3, Informative

    WHAT BACKEND?

    This is LOCAL storage used from the browser. There is NO server, the server is a lie!

    Your comment just shows you don't have a clue what this story is about. Basically this story is the same as the one in the dark ages when cookies were readable by other domains then they originated on.

    Browser connects to server, downloads javascript, javascript creates storage on the client, this storage should ONLY be readable by code that originated from the domain that created the local storage. This is apparantly not the case.

    The javascript is NOT connecting to the server side storage, that would indeed be silly.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  9. Well, that is what XSS is for... by Giant+Electronic+Bra · · Score: 1

    Obviously, if a site is perfectly secure then it has no problems. My point was, there isn't a new vulnerability here, just a wider scope for exactly the same old ones to do more. EVERY additional feature javascript gets is one more thing an XSS exploit can do. Doesn't make it a new exploit any more than adding a new table to your database makes an SQLI exploit "new", it just means there is more data there to be messed with.

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
  10. It IS only accessible from the domain that by Giant+Electronic+Bra · · Score: 2, Informative

    created it.

    And when someone adds some javascript to that site which shouldn't be there (XSS vuln) then their code is running from the place authorized to look at your local data.

    It really ISN'T that earth shattering, there is no 'new' vulnerability, just a new feature of javascript that the attacker can exploit once he has his script running on your browser.

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
  11. by the Internet (432490) by Anonymous Coward · · Score: 0

    I hate you to.

    1. Re:by the Internet (432490) by Anonymous Coward · · Score: 0

      Internet is ID 103916, actually. /pedantic

  12. Re:Paymo by Anonymous Coward · · Score: 0

    At least the chicks are drawn with big boobs & wearing low cut blouses.

  13. update.google.com by aoheno · · Score: 1

    Or is it still beta? Never mind.

    Learn from Microsoft. Start patching.

    The only secure system is one without any interface.

    --
    Her lips were softer than a duck's bill, but her quacks ...
  14. Curing XSS by rdebath · · Score: 1

    Curing XSS should be as easy as bolting a door!

    The problem is that any part of a site can say "trust domain.xex for this important code". But security needs to be simple to use and a full site audit is not simple.

    My suggestion is a simple tag at the top of an html page that say two things.

    1. This file is a top level page and may not be rendered inside a frame.
    2. Only use files from "this" list of hosts to render anything in this window.

    In an ideal world a browser that doesn't understand the tag would display a nasty warning or error too.
    It might be that this suggestion won't work. But there is one that will because SSH is secure.
    However, that's not important, the most important part is Keep It Simple...

    1. Re:Curing XSS by guruevi · · Score: 1

      On 1: Why would I as a developer need to specify what others do with my page? If others can include my page in their site that's their problem. This can easily be circumvented by not adhering to that standard or other means (like filtering the page through a makeshift proxy (could even be in JS) that removes the tags).

      On 2: What developers have to do is better input/output control. XSS attacks are circumvented simply by failing the request (server side) anytime somebody specifies something with :// as the page to include or send to, failing if you see that the page doesn't come from your site or not relying on other sites to host things for you (like Google hosting your funky framework)

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  15. Just wondering... by jonaskoelker · · Score: 1

    Just wondering, was her name Alison?