Offline security warning sounded
Working offline can come with an unexpected risk |
A security expert has sounded a warning on features that allow offline access to websites.
Offline web applications allow people to store data on their own computer, so that they can use services like web-based e-mail when not online.
But sites with poor security that use the feature put their visitors at risk of being robbed of their data.
Michael Sutton disclosed the threat at the Black Hat security conference in Washington, DC.
Offline web applications are taking off because of services such as Gears, developed by Google, and HTML 5, a new HTML specification that is still in draft form.
It was introduced to many web users in January, when Gmail introduced a Gears-powered offline mode. Offline Gmail lets users read and write e-mail when they're not connected to the internet.
Mr Sutton stressed that Gmail, Gears and HTML 5 are considered secure, but websites that implement offline features without proper security could put users at risk.
"You can take this great, cool secure technology, but if you implement it on an insecure website, you're exposing it. And then all that security is for naught."
Mr Sutton found that websites which suffer from a well-known security vulnerability known as cross-site scripting are at risk.
A hacker could direct a victim to a vulnerable website and then cause the user's own browser to grab data from their offline database.
Be cautious when you get an email that says "there's a problem with your password, click on this link and we'll fix it" Michael Sutton |
Unlike phishing, the whole attack could take place on a reputable site, which makes it harder to detect.
As a proof of concept, Mr Sutton was able to swipe information from the offline version of a time-tracking website called Paymo. Mr Sutton alerted Paymo and it fixed the vulnerability immediately.
Web developers must ensure that their sites are secure before implementing offline applications, said Mr Sutton.
"Gears is fantastic and Google has done a great job of making it a secure technology. But if you slap that technology into an already vulnerable site, you're leaving your customers at risk," he explained.
Security expert Craig Balding agreed that it was up to developers to secure their sites, as the line between desktop applications and web applications becomes more blurred.
"Every website wants to keep up in terms of features, but when developers turn to technologies like this they need to understand the pros and cons," he told BBC News.
Enemy within
He said it was almost impossible for users to protect themselves, because the vulnerability lies in the website. Having up-to-date antivirus software and other protections would not help, he added.
"We've always told people to make sure your system is patched and make sure you surf reputable sites. Here's an example of an attack where those aren't going to protect you," explained Mr Sutton
Mr Sutton predicted that the majority of attacks would use spam email to direct the victim to a vulnerable website. He advised users to beware of any email that links to a website and seems untrustworthy.
"Be cautious when you get an email that says there's a problem with your password, click on this link and we'll fix it. Banks don't send those emails, for a reason."
No comments:
Post a Comment