Slashdot Mirror

← Back to Stories (view on slashdot.org)

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache

Posted by samzenpus on from the out-in-the-open dept.

An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."

5 of 118 comments (clear)

  1. Re:And that my friends by Power+Rangers+2000 · · Score: 1, Informative

    Apple refusing to allow addons in their Webkit

    Apple's browser's name is Safari. WebKit is the rendering engine.

  2. Re:"Despite Using SSL" by Anonymous Coward · · Score: 2, Informative

    As the summary says, browsers were once cautious about writing content received over SSL to the disk cache. The use of SSL provides a hint to the browser that the data is sensitive, but now browsers choose -- despite the use of SSL -- to store the unencrypted data anyway.

  3. Safari doesn't cache at all by david.emery · · Score: 4, Informative

    From the securityevaluators.com document (2nd reference in the base article): Safari. Apple Safari does not cache HTTPS-delivered content to disk, regardless of any headers sent by the server. ISE tested the mobile version of Safari on an iPad 2, and the HTTPS caching behavior was identical to the desktop version.

  4. Re:The fail is your monkeyboy. by halltk1983 · · Score: 4, Informative

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2

    Seems like it's mentioned there to me...

    --
    Watch for Penguins, they eat Apples and throw rocks at Windows.
  5. HTTPS to avoid session cookie cloning by tepples · · Score: 3, Informative

    It used to be that the burden of encryption was only placed on the most sensitive of data, like a banking session or a protected site log-in [but there are] websites that dont have the need (encrypting your google searches? come on, they are spying on you anyway)

    If you allow users to log in at all but don't encrypt everything, an attacker who can see a user's packets can snoop the user's session cookie and issue requests as that user for several minutes to several hours. The "Firesheep" plug-in, which allowed cloning the Facebook sessions of other users connected to the same wireless network, was the first widely reported incident of this.