WASHINGTON DC. With or without your knowledge your web browser is storing information that could end up leaving you at risk – maybe. That’s the gist of a presentation by security researcher Michael Sutton delivered at the Black Hat conference.
Browsers today store data in a variety of ways including HTTP cookies, Flash local storedobjects and by way of Google Gears and the related HTML 5 storage specification.
With cookies Sutton discussed an attack vector called client side cross site scripting that could potentially let insecure cookies from one site read the cookies from another. Cookies have been used by browser vendors since the earliest Netscape releases and have a limited scope in terms of the amount of data that can be included.
When it comes to Flash, Flash files save data with local stored objects which are similiar in some respects to cookies and are also limited in their storage capacity.
Then there is Gears which provides a fully offline database for online web applications. Gears which began life as Google Gears is a Google technology used for offline Gmail and is also being used by several other third party vendors.
“The problem with Gears could be a data confidentiality issue,” Sutton said. “Gears itself is secure but if it is implement insecurely by a site that’s where the problems can occur.”
Read more after the jump – including one potential attack vector for Gears.