Sunday, February 22, 2009

Offline web applications allow people to store data on their own computer


Working offline can come with an unexpected risk
A security expert has sounded a warning on features that allow offline access to websites. so that they can use services like web-based e-mail when not online.
Be cautious when you get an email that says "there's a problem with your password, click on this link and we'll fix it"
But sites with poor security that use the feature put their visitors at risk of being robbed of their data.

Michael Sutton disclosed the threat at the Black Hat security conference in Washington, DC.

Offline web applications are taking off because of services such as Gears, developed by Google, and HTML 5, a new HTML specification that is still in draft form.

It was introduced to many web users in January, when Gmail introduced a Gears-powered offline mode. Offline Gmail lets users read and write e-mail when they're not connected to the internet.

Mr Sutton stressed that Gmail, Gears and HTML 5 are considered secure, but websites that implement offline features without proper security could put users at risk.

"You can take this great, cool secure technology, but if you implement it on an insecure website, you're exposing it. And then all that security is for naught."

Mr Sutton found that websites which suffer from a well-known security vulnerability known as cross-site scripting are at risk.

A hacker could direct a victim to a vulnerable website and then cause the user's own browser to grab data from their offline database.
Unlike phishing, the whole attack could take place on a reputable site, which makes it harder to detect.

As a proof of concept, Mr Sutton was able to swipe information from the offline version of a time-tracking website called Paymo. Mr Sutton alerted Paymo and it fixed the vulnerability immediately.

Web developers must ensure that their sites are secure before implementing offline applications, said Mr Sutton.

"Gears is fantastic and Google has done a great job of making it a secure technology. But if you slap that technology into an already vulnerable site, you're leaving your customers at risk," he explained.

Security expert Craig Balding agreed that it was up to developers to secure their sites, as the line between desktop applications and web applications becomes more blurred.

"Every website wants to keep up in terms of features, but when developers turn to technologies like this they need to understand the pros and cons," he told BBC News.

No comments:

Post a Comment