Slashdot Mirror

← Back to Stories (view on slashdot.org)

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache

Posted by samzenpus on from the out-in-the-open dept.

An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."

5 of 118 comments (clear)

  1. "Despite Using SSL" by Anonymous Coward · · Score: 3, Insightful

    What does SSL have to do with what happens to the data once it's local?

    I understand that most people are clueless, but this is slashdot still, right? I haven't stumbled upon some other site on which to dig up TFA (not that I've read it).

  2. Scaremongering by YA_Python_dev · · Score: 1, Insightful

    This is BS. If an attacker has access to your files in your local disk, they have already won.

    --
    There's a hidden treasure in Python 3.x: __prepare__()
  3. Reading fail by wonkey_monkey · · Score: 2, Insightful

    but many of the sites are sending non-standard headers recognized only by Internet Explorer

    Still, you got paid, what do you care?

    --
    systemd is Roko's Basilisk.
  4. Re:This is actually a very bad idea, if true by bloodhawk · · Score: 3, Insightful

    The real problem here is the standard is just plain retarded. Even though I hate Apple I think their approach is the lesser evil. The default should be don't cache, web servers should then be able to enable caching if they want to sacrifice some security for performance (assuming the user hasn't explicitly disabled caching). It would be nice to be able to rely on users having well managed machines or the internet being made up of mostly well managed servers but lets face it that aint happening anytime soon in anything but well run enterprises and IT literate end users.

  5. Re:This is actually a very bad idea, if true by anegg · · Score: 4, Insightful

    Note that the claim is that Safari doesn't cache to DISK, not that Safari doesn't cache. I.e., Safara doesn't store information that was deemed sensitive enough to require a secure channel on a long-term (probably unencrypted) storage medium.