February 19, 2009
Offline Security Warning
A security expert is warning that working offline can come with an unexpected risk due to poor security on certain sites.
Offline web applications give users the ability to store data on their own computer, so they can access services like web-based e-mail when not online.
However, bad security on some sites put visitors at risk of having their data robbed.
During the Black Hat security conference in Washington, DC, Michael Sutton discussed the potential threat.
Experts say offline web applications are become more popular after the emergence of services like Gears, developed by Google, and HTML 5, a new HTML specification that is in draft form.
Gmail introduced a Gears-powered offline mode in January, which allows users to read and write e-mail when they're not connected to the Internet.
Sutton noted Gears and HTML 5 are considered secure. However, websites that implement offline features without proper security could put users at risk.
"You can take this great, cool secure technology, but if you implement it on an insecure website, you're exposing it. And then all that security is for naught."
A well-known vulnerability known as cross-site scripting put users at risk, because a hacker could direct a victim to a vulnerable website and then cause the user's own browser to grab data from their offline database.
Sutton warned to be wary when you get an email that says "there's a problem with your password, click on this link and we'll fix it."
The whole security failure could happen on a reputable site, which makes it harder to detect.
As an example, Sutton was able to swipe information from the offline version of a time-tracking website called Paymo; he alerted the company and it fixed the vulnerability immediately.
He warned that web developers must ensure their sites are secure before implementing offline applications.
"Gears is fantastic and Google has done a great job of making it a secure technology. But if you slap that technology into an already vulnerable site, you're leaving your customers at risk," he explained.
Security expert Craig Balding says he believes it is the developers' responsibility to secure their sites because the line between desktop applications and web applications is now more blurred.
"Every website wants to keep up in terms of features, but when developers turn to technologies like this they need to understand the pros and cons," he told BBC News.
On the Net: