Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Attacking Local Browser Storage

CmdrTaco posted more than 5 years ago | from the ripe-for-pwnage dept.

Security 28

CrazyCanucklehead writes "At the Blackhat security conference in Washington, DC, researcher Michael Sutton has detailed how common XSS flaws in web applications employing (Google) Gears and HTML 5 Database Storage can leave local databases wide open to attack. This comes just as Gears is starting to take off, and just yesterday Google demonstrated a beta version of offline Gmail on phones, thanks to HTML 5 support in WebKit-based browsers, such as those used by Android and the iPhone. Sutton drove home the point by walking through a real world example on commercial site, which has thankfully since been fixed."

Sorry! There are no comments related to the filter you selected.

Paymo (1)

Smidge207 (1278042) | more than 5 years ago | (#26921839)

Gah. What's up with the 'chicky' cartoon people on their homepage? Real professional, that. :rolls eyes:


Re:Paymo (0)

Anonymous Coward | more than 5 years ago | (#26924971)

At least the chicks are drawn with big boobs & wearing low cut blouses.

Doing everything through the web is dumb (5, Funny)

Gizzmonic (412910) | more than 5 years ago | (#26921851)

Why do we need to do spreadsheets or word processing through the web? It's a dumb idea. AJAX stuff will never be secure, especially compared to local applications. I hate the idea of "the cloud." I wish the Internet would go away, maybe then my fat girlfriend wouldn't have found that other guy on WoW. I hate you Internet!

Re:Doing everything through the web is dumb (1)

mcgrew (92797) | more than 5 years ago | (#26922121)

Well, I don't need it and you might not either, but I can see someone with a web-enabled cell phone, a laptop, and a box at their home wanting to access their stuff from anywhere. Say I kept my check register online, I could update it any tome and who would want to access it?

Or for taking notes or something.

Re:Doing everything through the web is dumb (0)

Anonymous Coward | more than 5 years ago | (#26930951)

Lots of stuff for which it comes in handy. Working collaboartively on a paper... it sure beats the back and forth of document files particularly when more than 2 people are involved. You may very well only use the web interface for "content" and do a final polished version, but it sure helps the collaborative writing phase. Particularly as it permits instantaneous collaborative edits.

Same goes for putting togetehr marks of students when you have multiple TAs for a class. Sure beats the last minute back and foth trying to find out where everybody is, and the ever present "did you edit this version of the spreadsheet? Wasn't this the final list" etc. etc.

Again, collaboration between 2 individuals may not require it, but start adding people to your collective effort and in some cases it's a must. Synchronization of individual copies just don't always work.

Top posting but (0)

Anonymous Coward | more than 5 years ago | (#26922131)

Why is every story showing "0" comments on the front page?

*posting anon obviously.

Re:Top posting but (1)

Vectronic (1221470) | more than 5 years ago | (#26922249)

I think it's Taco's way of making himself feel special, seems to be only during his "runs" of articles...

Perhaps its a test, to see if articles with 0 submissions get more clicks, dunno...

Re:Top posting but (0)

Anonymous Coward | more than 5 years ago | (#26922523)

First Post!!!!

Oh wait...

Re:Doing everything through the web is dumb (1)

phantomfive (622387) | more than 5 years ago | (#26922321)

Of course, since local applications have always been super-secure. (sarcasm).

I have no problem with security, since I have coded my own browser, called froam, that runs each page in a separate process in a separate VM, then for safe keeping, I store the data from each thread in a separate hard drive. The storage costs are getting expensive but it is all worth it knowing I have out-microsofted microsoft at their own game. (Ha! and each desk has its own chair! Take that Balmer!!)


by the Internet (432490) (0)

Anonymous Coward | more than 5 years ago | (#26923857)

I hate you to.

Re:by the Internet (432490) (0)

Anonymous Coward | more than 5 years ago | (#26924275)

Internet is ID 103916 [] , actually. /pedantic

Just wondering... (1)

jonaskoelker (922170) | more than 5 years ago | (#26926465)

Just wondering, was her name Alison?

Re:Doing everything through the web is dumb (0)

Anonymous Coward | more than 5 years ago | (#26932409)

You never had a girlfriend. You're a liar. Why are you lying?

Yeah, this wasn't basically obvious? (2, Insightful)

Giant Electronic Bra (1229876) | more than 5 years ago | (#26921865)

In essence it isn't a NEW vulnerability, just whenever javaScript can do some new thing on your browser then hey presto! So can someone else's javascript do that marvy new thing. Just proves that XSS attacks live on, and always will.

Re:Yeah, this wasn't basically obvious? (1)

LDoggg_ (659725) | more than 5 years ago | (#26922309)

Sure, someone else's javascript can do that marvy new thing if you're dumb enough to include their javascript in your page.

Well, that is what XSS is for... (1)

Giant Electronic Bra (1229876) | more than 5 years ago | (#26922637)

Obviously, if a site is perfectly secure then it has no problems. My point was, there isn't a new vulnerability here, just a wider scope for exactly the same old ones to do more. EVERY additional feature javascript gets is one more thing an XSS exploit can do. Doesn't make it a new exploit any more than adding a new table to your database makes an SQLI exploit "new", it just means there is more data there to be messed with.

There goes my great plan.. (4, Funny)

dave562 (969951) | more than 5 years ago | (#26921953) develop an app for the IRS that would allow their agents to take work home on their mobile phones. I guess they're just going to have to do things the old fashioned way and lose laptops with the data on it.

I don't get it (1)

quickOnTheUptake (1450889) | more than 5 years ago | (#26922061)

The article wasn't clear to me. How was this code getting executed? It looked like it was being put into the original document (like edit the source and reload from cache, in which case the result seems like normal behavior to me).
Did anyone get the details of how the demo attack was being carried out?

Re:I don't get it (1)

LDoggg_ (659725) | more than 5 years ago | (#26922239)

It was not clear at all. It looked like they logged in to paymo and started messing with javascript on the page. Anyone could do that with firebug and hose their own account if they wanted.

Where was code being executed from another site to cause problems with someone else's account?

Did the article have a problem with loading potentially harmful javascript code from google's server?

Slashdotted Comments (1)

Flyin Fungi (888671) | more than 5 years ago | (#26922181)

Slashdot's Storage must of been attacked! I still see zero comments on stories.

Javascript DB connection == EVIL (2, Informative)

Foofoobar (318279) | more than 5 years ago | (#26922201)

Why would anyone connect to a database from a javascript where everyone can view your connection and play with it at will just by building a custom script? Database calls should be controlled through a backend... especially when delivering via the web.

Even binary desktop apps connect to the server that gets that data and generally don't do DIRECT database calls. Client side database calls are just a bad idea no matter what language you use and what platform you are developing for.

Re:Javascript DB connection == EVIL (1)

LDoggg_ (659725) | more than 5 years ago | (#26922269)

This isn't javascript connecting to a remote database. This is javascript talking to the local database built into HTML5 for local storage. No worse than making elaborate cookies unless the database for some reason is capable or executing things outside of its sandbox.

You don't get it do you? (3, Informative)

SmallFurryCreature (593017) | more than 5 years ago | (#26922331)


This is LOCAL storage used from the browser. There is NO server, the server is a lie!

Your comment just shows you don't have a clue what this story is about. Basically this story is the same as the one in the dark ages when cookies were readable by other domains then they originated on.

Browser connects to server, downloads javascript, javascript creates storage on the client, this storage should ONLY be readable by code that originated from the domain that created the local storage. This is apparantly not the case.

The javascript is NOT connecting to the server side storage, that would indeed be silly.

It IS only accessible from the domain that (2, Informative)

Giant Electronic Bra (1229876) | more than 5 years ago | (#26922721)

created it.

And when someone adds some javascript to that site which shouldn't be there (XSS vuln) then their code is running from the place authorized to look at your local data.

It really ISN'T that earth shattering, there is no 'new' vulnerability, just a new feature of javascript that the attacker can exploit once he has his script running on your browser.

YUO FAIL IT (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26923829) (1)

aoheno (645574) | more than 5 years ago | (#26925941)

Or is it still beta? Never mind.

Learn from Microsoft. Start patching.

The only secure system is one without any interface.

Curing XSS (1)

rdebath (884132) | more than 5 years ago | (#26925967)

Curing XSS should be as easy as bolting a door!

The problem is that any part of a site can say "trust domain.xex for this important code". But security needs to be simple to use and a full site audit is not simple.

My suggestion is a simple tag at the top of an html page that say two things.

  1. This file is a top level page and may not be rendered inside a frame.
  2. Only use files from "this" list of hosts to render anything in this window.

In an ideal world a browser that doesn't understand the tag would display a nasty warning or error too.
It might be that this suggestion won't work. But there is one that will because SSH is secure.
However, that's not important, the most important part is Keep It Simple...

Re:Curing XSS (1)

guruevi (827432) | more than 5 years ago | (#26928381)

On 1: Why would I as a developer need to specify what others do with my page? If others can include my page in their site that's their problem. This can easily be circumvented by not adhering to that standard or other means (like filtering the page through a makeshift proxy (could even be in JS) that removes the tags).

On 2: What developers have to do is better input/output control. XSS attacks are circumvented simply by failing the request (server side) anytime somebody specifies something with :// as the page to include or send to, failing if you see that the page doesn't come from your site or not relying on other sites to host things for you (like Google hosting your funky framework)

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?