Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attacking Local Browser Storage

Posted by CmdrTaco on from the ripe-for-pwnage dept.

CrazyCanucklehead writes "At the Blackhat security conference in Washington, DC, researcher Michael Sutton has detailed how common XSS flaws in web applications employing (Google) Gears and HTML 5 Database Storage can leave local databases wide open to attack. This comes just as Gears is starting to take off, and just yesterday Google demonstrated a beta version of offline Gmail on phones, thanks to HTML 5 support in WebKit-based browsers, such as those used by Android and the iPhone. Sutton drove home the point by walking through a real world example on commercial site Paymo.biz, which has thankfully since been fixed."

3 of 28 comments (clear)

  1. Javascript DB connection == EVIL by Foofoobar · · Score: 2, Informative

    Why would anyone connect to a database from a javascript where everyone can view your connection and play with it at will just by building a custom script? Database calls should be controlled through a backend... especially when delivering via the web.

    Even binary desktop apps connect to the server that gets that data and generally don't do DIRECT database calls. Client side database calls are just a bad idea no matter what language you use and what platform you are developing for.

    --
    This is my sig. There are many like it but this one is mine.
  2. You don't get it do you? by SmallFurryCreature · · Score: 3, Informative

    WHAT BACKEND?

    This is LOCAL storage used from the browser. There is NO server, the server is a lie!

    Your comment just shows you don't have a clue what this story is about. Basically this story is the same as the one in the dark ages when cookies were readable by other domains then they originated on.

    Browser connects to server, downloads javascript, javascript creates storage on the client, this storage should ONLY be readable by code that originated from the domain that created the local storage. This is apparantly not the case.

    The javascript is NOT connecting to the server side storage, that would indeed be silly.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  3. It IS only accessible from the domain that by Giant+Electronic+Bra · · Score: 2, Informative

    created it.

    And when someone adds some javascript to that site which shouldn't be there (XSS vuln) then their code is running from the place authorized to look at your local data.

    It really ISN'T that earth shattering, there is no 'new' vulnerability, just a new feature of javascript that the attacker can exploit once he has his script running on your browser.

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson