Google Gears Offline Gmail Exposed To Hackers Attacks
Gears, an open-source Google’s project allows data normally stored on a webserver to be stashed instead on end users’ computers. Last month, Gmail allowed users to read and write email even when they’re not connected to the interwebs. As a result, a single cross-site scripting (XSS) error or SQL injection vulnerability on the web server is all it takes to gain full access to the contents, a security researcher warns.
Like almost all other offline web applications, offline Gmail works by creating the equivalent of a relational database on the client PC. Over the past year, dozens of web-based services have adopted new features that allow them to be used even when an internet connection isn’t available. The technologies making this possible may offer plenty of convenience, but they also make end users susceptible to powerful new attacks, says Michael Sutton, vice president of research at web security firm Zscaler.
“It really changes the landscape from an attacker’s perspective,” Sutton says. “I as an end user can have a fully patched system surfing a reputable site and still be vulnerable because there is a weakness on the page I’m viewing. You are actually made vulnerable if the site has a vulnerability in it.”
To prove his point, Sutton identified a SQL injection vulnerability in a time-keeping service offered by a website called Paymo. By embedding select commands into various Paymo URLs, he was able to pluck information stored on a PC that had been using the service’s offline feature, he says.
Paymo promptly fixed the bug. But Sutton says the vulnerability amounts to a proof of concept for a new class of attacks that targets users of offline web services. Such “persistent client side storage” attacks, as he has dubbed them, have the potential to target victims each time they interact with a vulnerable service, he warns.
What’s more, because the services are generally available to anyone for free, it’s possible for attackers to have detailed knowledge of exactly how the databases are configured, an understanding that could go a long way to improving the odds of successfully exploiting the vulnerability.
Because it works on Windows, OS X, and Linux, Gears is by far the most popular way of bringing offline functionality to web services. But it’s not the only way websites can make such offerings available. HTML 5, which is still under development, also describes ways for browsers to have local databases that interact with websites. Apple’s Safari browser has already implemented part of that.
That has led Sutton to envision a day when most internet users have a wealth of locally stored data on their PCs that seamlessly interacts with websites. Suddenly, XSS exploits – which typically allow attackers to steal only limited amounts of data, such as authentication cookies – could be used to purloin entire databases, he warns.
Credit: The Register
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.