Risks of Persistent Storage
How to interact with online content when a user is offline has been a problem that many minds have struggled with over the years. In recent months one of the most popular theories of how users potentially would be able to interact with online content while offline has really taken off - that of caching significant data levels while online, then accessing and interacting with them while offline, all through the same interface.
While it may not be the first to implement such an idea, the introduction of Google Gears has attracted attention that previous attempts have not been able to. With this attention has come the attention of web application security experts, who have begun to consider the risks and potential security weaknesses that these systems can introduce.
Of greatest interest to the researchers is the concept of 'persistent storage', which means that projects such as Gears use a client-side (i.e. on the user's computer) database or other data storage method to store a chunk of online data that the user is expected to interact with while offline. Essentially, the data 'persists' on the user's system even after the connection to the Internet is gone. The technology behind the persistent storage for Gears is SQLite, a lightweight database engine that supports SQL data management and storage and which can be easily integrated within an application - rather than needing a separate database engine like many CMS do.
The safe passing of data to SQL databases is fairly well known, with techniques such as bound parameters, stored queries, and careful input filtering amongst the methods used to achieve safe data storage and interaction.
It is reported that Google Gears is making use of bound parameters to help protect against potential abuse of data input and mitigate against the risk of SQL injection.
With the number of persistent storage offline interaction systems soon to increase in number and use (Firefox is soon to include a SQLite-based system in Firefox 3), all it is going to take is a single mistake by a development team for a serious vulnerability to be included. From there, it will only be a matter of time before the dedicated and creative researchers find it and work out how to exploit it.
8 June 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.