Browser Beware

Next-generation Web apps could spark new hacking attacks on browsers.

Consumers use rich Internet technologies such as Google Gears to download videos and images from the Internet. Hackers can use these applications for a different purpose: to steal data through Web browsers.

The story is too old to be commented.
gololo3725d ago

this has nothing to run don't blurt out stupid things. the problem is local data storage, Google Gears and HTML5 spec (and Safari 3.0) have an API for an SQLite local database, which opens up possibilities to make web apps faster and more efficient. However, the article is right, devs have to be careful how they use this APIs since there could be open doors for hackers to check the data in this client side databases. Now, I think people should stick to best practices, if devs are storing sensitive information (credit card, passwords) in the local db, then yeah, its pretty stupid. Then again, I've seen a good amount of websites with user ids and passwords embedded in the query string of yeah devs to be more educated about security in web apps in general.

AuToFiRE3725d ago

actually it is windows fault, with IE it is integrated into the OS itself, and i mean very deep, it is used to search the computer, and copy and delete files, etc, its not the APIs, its the browser and the OS, im to lazy to explain the rest, i will come back and explain it later

gololo3724d ago is the APIs, are you familiar with HTML5 spec and Google Gears? They basically are adding a bunch of features that extend EVERY browser's capabilities. For instance, Google Gears offer a pool of threads for Javascript, which is awesome since you can keep threads to execute UI/Logic separate. Another feature, and this is where experts see the BIG security risk is CLIENT SIDE DATABASE. Google Gears provide this in form SQLite (and there are well known exploits for this DB engine). HTML5 SPEC (currently NO BROWSER has implemented HTML5 spec fully) calls for a client side database, Safari (since they are part of the WHATWG which is trying to outdo the W3C for the HTML5 spec) it has been the first browser that implement the client side database storage (with the help of Webkit). So what is the big deal with client side DB, having this DB can be compared to use cookies, you can store anything in this client side DBs. So the big risk is careless devs that will start abusing this client side DB, or just plainly use it just because it's the latest technology so they want to be cool. Therefore, if I use the client side storage wisely (i.e. not storing name, credit card info, passwords, personal/sensitive info) it should be fine. Finally to wrap this up, and you might be confused is that, Google Gears and HTML5 ARE PLATFORM INDEPENDENT since these features are meant to extend and make the browser as powerful as it can be. So...that means that even as I type in my linux box, I could still be vulnerable if I'm running a Gears or a HTML5 DB and I visit a site that makes use of this in a careless manner.

lewis3725d ago

we should do something.

gololo3724d ago

not to be on the open zone...