Gears an enticing target for hackers

The current trend toward enabling browsers to store more and more data--via not only cookies, but also Flash and Google's new Gears technology--is a ripe invitation to hackers. And since Gears, Google's technology for enabling offline access to online data, stores entire databases of information, it's the prime candidate for concerted malicious attacks--at least according to security researcher Michael Sutton, who presented at this week's Black Hat 2009 conference.

According to this report on internetnews.com, Sutton says that cookies are susceptible to client-side cross-scripting attacks that could potentially let insecure cookies from one site read the cookies from another. The good news is that cookies are not that big a target, since they are fairly limited in the amount of data they can hold. So too with Flash, which also holds data in compromisable local stored objects, but is also fairly limited in how much data can be stored.

Gears, however, is another story. It provides a fully offline database for online Web applications, and all that data can be pretty enticing to nefarious attackers. For example, one potential attack vector for Gears is client-side SQL injection, since Gears can be controlled by JavaScript:

"So if there is a cross site vulnerability on a website where Gears is implemented, you can read/write from the local client database," Sutton said.

On the positive side, Sutton says that ensuring proper user input validation can help prevent such SQL injection attacks, and that to date, Gears is not nearly widespread enough yet to be a big enough target for most attackers. But all that could change as more users download the tool to reap its more full-featured offline capabilities, and if sites continue to be lax in the way they protect local databases.

As he says, "Attack prevalence will increase in proportion to adoption." Something to think about.

* * *

Like this post? Visit the Google Subnet home page for more news, blogs and podcasts.

More blog posts from Google Subnet:

• Android security hole no big deal after all

• 8 ways to get noticed on Google News

• Location-aware Gmail rivals Mail Goggles in silliness

• Google caves to Apple on multitouch

• Quiz: Are you a Google expert?

Sign up for the weekly Google newsletter. (Click on News/Google News Alert.)

• General discussions
• Security
• Software
• attack
• Black Hat
• browser
• cookie
• data
• Flash
• Gears
• Google
• JavaScript
• Michael Sutton
• SQL injection
• vulnerable