Black Hat: Google Gears Offline Data Vulnerable

The emergence of Web applications that function offline through technologies like Google Gears brings with it new risks: server-side attacks that can access client-side data.

In a presentation at the Black Hat conference in Washington, D.C., on Wednesday, Michael Sutton, VP of search research for Zscaler, demonstrated how a Google Gears-enabled Web service called Paymo.biz could be attacked using a cross-site scripting (XSS) vulnerability so that data stored in a user's local Google Gears database could be accessed or altered.

Paymo.biz fixed the vulnerability promptly and that's unusual. According to a study released in December by WhiteHat Security, Web sites typically take weeks or months to fix security problems.

And no matter how responsive Web sites are to security problems that get reported, the overall problem remains. "Both Gears and HTML5 Database Storage leverage client-side JavaScript to create and interact with local databases," Sutton said in a blog post on Thursday. "Therefore, if an XSS vulnerability is present, it's all too easy for an attacker to compromise the confidentiality and integrity of locally stored data by reading from or writing to the local database."

One reason it's so easy for an attacker is that vulnerabilities are so common. Over the three years from January 2006, through December 2008, 82% of Web sites had at least one security issue, according to WhiteHat Security, and for 63% of them, issues of high, critical, or urgent severity remain unaddressed.

"Google Gears is a secure technology," Sutton said in a phone interview. The problem is that a secure technology becomes insecure when connected with an insecure Web site.

And Sutton expects the use of offline browser-based storage to be more prevalent as more Web services take advantage of Gears and HTML5. For developers taking that path, he advises doing so carefully.

Google sees Sutton's research as validation of the security guidance it provides to Web developers.

"We built Gears with security in mind, and Mr. Sutton's findings do not show any vulnerabilities in Gears itself," a Google spokesperson said in an e-mailed statement. "Mr. Sutton's work does raise important points for developers who are building applications on top of Gears because, as with online Web applications, the security of local data depends on developers' thorough and careful implementation of their applications. We work hard on the security of our own applications, and we provide tools and documentation to developers to help them avoid introducing vulnerabilities like XSS into their applications."

What are some of the other key security concerns IT professionals have? InformationWeek has published an independent analysis of this topic. Download the report here (registration required).