Browser Beware
Consumers use rich Internet technologies such as Google Gears to download videos and images from the Internet. Hackers can use these applications for a different purpose: to steal data through Web browsers.
In a presentation at the Defcon hacker conference in Las Vegas Friday, security experts from iSEC Partners said that while rich Internet applications make a user experience faster and more fluid by caching data locally, they aren't secure--and this opens the door for hackers to extract user data without ever touching a server, using techniques such as SQL injection and cross-site scripting.
"The normal assumption would be that rich Internet applications [are] kind of the same as Web applications, security-wise," said David Thiel, a researcher at San Francisco-based security consulting firm iSEC. "That's totally not true."
ISEC pointed to next-generation application tools, such as Adobe AIR and Google Gears, which could make it even easier to snatch data and personal information through browsers.
"Google Gears, for example, just gives a tiny little dialog that says 'Do you want something to use Gears?' Thiel said. "There's things in Firefox now where you can change the way the browser handles different types of content, like what you use as your mail client, just from a single request from a Web page."
To solve these security issues, Thiel wants developers to pay more attention to the trade-offs between security and usability as they develop applications.
"I think people have been really casual about introducing a lot of these mechanisms without really understanding the implications," Thiel said. "There's a need to educate developers that this kind of flaw now pertains to client-side security and not just attacking servers. They're just waiting to get bitten by it."
Alex Stamos, a founding partner at iSEC, said users should demand more transparency from their browsers in order to make more intelligent decisions about application security.
He also wants browsers to be more up-front about the potential security implications that surround these new technologies. "People think Flash is safe, and traditionally, Flash has been trapped in your browser, but now with Adobe AIR, Flash is let out."
Because these technologies are still new, the threats are mostly theoretical so far. "The attacks we're talking about right now, it is unlikely that you're going to see them in the wild," Stamos said.
But with rapidly increasing adoption rates of rich Internet technologies, partially thanks to the relatively few disclaimers surrounding them, Thiel said the threat is increasing fast.
"Given the degree to which we see malware-infested machines today, just with current technologies, this makes it so much easier."
In a presentation at the Defcon hacker conference in Las Vegas Friday, security experts from iSEC Partners said that while rich Internet applications make a user experience faster and more fluid by caching data locally, they aren't secure--and this opens the door for hackers to extract user data without ever touching a server, using techniques such as SQL injection and cross-site scripting.
"The normal assumption would be that rich Internet applications [are] kind of the same as Web applications, security-wise," said David Thiel, a researcher at San Francisco-based security consulting firm iSEC. "That's totally not true."
ISEC pointed to next-generation application tools, such as Adobe AIR and Google Gears, which could make it even easier to snatch data and personal information through browsers.
"Google Gears, for example, just gives a tiny little dialog that says 'Do you want something to use Gears?' Thiel said. "There's things in Firefox now where you can change the way the browser handles different types of content, like what you use as your mail client, just from a single request from a Web page."
To solve these security issues, Thiel wants developers to pay more attention to the trade-offs between security and usability as they develop applications.
"I think people have been really casual about introducing a lot of these mechanisms without really understanding the implications," Thiel said. "There's a need to educate developers that this kind of flaw now pertains to client-side security and not just attacking servers. They're just waiting to get bitten by it."
Alex Stamos, a founding partner at iSEC, said users should demand more transparency from their browsers in order to make more intelligent decisions about application security.
He also wants browsers to be more up-front about the potential security implications that surround these new technologies. "People think Flash is safe, and traditionally, Flash has been trapped in your browser, but now with Adobe AIR, Flash is let out."
Because these technologies are still new, the threats are mostly theoretical so far. "The attacks we're talking about right now, it is unlikely that you're going to see them in the wild," Stamos said.
But with rapidly increasing adoption rates of rich Internet technologies, partially thanks to the relatively few disclaimers surrounding them, Thiel said the threat is increasing fast.
"Given the degree to which we see malware-infested machines today, just with current technologies, this makes it so much easier."
