Page last updated at 18:38 GMT, Wednesday, 18 February 2009

Offline security warning sounded

Laptop and warning tape
Working offline can come with an unexpected risk

A security expert has sounded a warning on features that allow offline access to websites.

Offline web applications allow people to store data on their own computer, so that they can use services like web-based e-mail when not online.

But sites with poor security that use the feature put their visitors at risk of being robbed of their data.

Michael Sutton disclosed the threat at the Black Hat security conference in Washington, DC.

Offline web applications are taking off because of services such as Gears, developed by Google, and HTML 5, a new HTML specification that is still in draft form.

It was introduced to many web users in January, when Gmail introduced a Gears-powered offline mode. Offline Gmail lets users read and write e-mail when they're not connected to the internet.

Mr Sutton stressed that Gmail, Gears and HTML 5 are considered secure, but websites that implement offline features without proper security could put users at risk.

"You can take this great, cool secure technology, but if you implement it on an insecure website, you're exposing it. And then all that security is for naught."

Mr Sutton found that websites which suffer from a well-known security vulnerability known as cross-site scripting are at risk.

A hacker could direct a victim to a vulnerable website and then cause the user's own browser to grab data from their offline database.

Be cautious when you get an email that says "there's a problem with your password, click on this link and we'll fix it"
Michael Sutton

Unlike phishing, the whole attack could take place on a reputable site, which makes it harder to detect.

As a proof of concept, Mr Sutton was able to swipe information from the offline version of a time-tracking website called Paymo. Mr Sutton alerted Paymo and it fixed the vulnerability immediately.

Web developers must ensure that their sites are secure before implementing offline applications, said Mr Sutton.

"Gears is fantastic and Google has done a great job of making it a secure technology. But if you slap that technology into an already vulnerable site, you're leaving your customers at risk," he explained.

Security expert Craig Balding agreed that it was up to developers to secure their sites, as the line between desktop applications and web applications becomes more blurred.

"Every website wants to keep up in terms of features, but when developers turn to technologies like this they need to understand the pros and cons," he told BBC News.

Enemy within

He said it was almost impossible for users to protect themselves, because the vulnerability lies in the website. Having up-to-date antivirus software and other protections would not help, he added.

"We've always told people to make sure your system is patched and make sure you surf reputable sites. Here's an example of an attack where those aren't going to protect you," explained Mr Sutton

Mr Sutton predicted that the majority of attacks would use spam email to direct the victim to a vulnerable website. He advised users to beware of any email that links to a website and seems untrustworthy.

"Be cautious when you get an email that says there's a problem with your password, click on this link and we'll fix it. Banks don't send those emails, for a reason."

Print Sponsor


SEE ALSO
Microsoft bounty for worm creator
13 Feb 09 |  Technology
Clock ticking on worm attack code
20 Jan 09 |  Technology
EU to search out cyber criminals
01 Dec 08 |  Technology
Hackers 'aid' Amazon logging scam
15 Dec 08 |  Technology
Q&A: Stay safe online
17 Nov 08 |  Technology
Alarm raised on teenage hackers
27 Oct 08 |  Technology
Hackers prepare supermarket sweep
28 Aug 08 |  Technology

RELATED INTERNET LINKS
The BBC is not responsible for the content of external internet sites


FEATURES, VIEWS, ANALYSIS
Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific