Friday, April 4, 2008

Google Gears and Security concerns - Paper

Recently Google announced that it will offer offline access to Google Docs which contains Word Processor, Spreadsheets application and Presentation. But there have been many security concerns over the Gears database on how it stores the files and how bad it can get if a malacious attacker gets access to your database files.

I am surely not a great writer but have tried to assemble all the security concerns related to Google Gears database and files into one document. It gives an introduction to Gears and How it stores files on your hard drive and How to access them without Google's offline application (Access to Raw data stored in the database) and then all the security issues can affect the users data.

A final word: Google Gears is surely a boon for Forensics Investigator's.

The PDF file is available for download


Extract from the Paper:

Lets look at some security concerns relating to your Gears database.

1) DNS spoofing or /etc/hosts file
Once the machine accesses a website that has the same name that is already present in the Gears database, and the user clicks go online, it will start to sync with the online server, just a little piece of code can be used to capture all the data, the userś personal and official documents can be compromised.

2) SQL Injection
Even google has pointed out in their documentation that SQL Injection attacks are very much possible and developers should use APIś to access the data, rather than directly querying the database.

3) Cross site scripting
There is not much detail about it at this time but even XSS attacks are very much possible and Google is even trying to implement access for other website on the same database, so of course the threat is increasing. XSS attacks are more than just stealing cookies.

4) Security of Data files
Gears relies heavily on operating system security and that means if an attacker gets hold of your .db files he has all the data he needs about you, your files are compromied, It is not important that the attacker gains root access to your operating system but even if there is a bug in the browser an attacker can sucessfully grab your .db files. If a malacious attacker expoits the trust between the databases and contaminates the database files, he can erase all your data and if your web application does not keep revision files online you are surely in a mess but still even if you have a revision copy and the attacker contaminates more than 100 files, you will surely need to spend a lot of time reverting back to earlier versions.

5) Memory usage
Gears surely makes your browser heavy the moment it starts to sync data and as the adoption of gears increases a malicious attacker can create a DOS on your system, bringing down the whole system is far but an attacker can surely freeze your browser and keep you away from working or maybe fill up your hard drive space with useless junk data in the database files by creating a simple loop and pass it on to the worker thread so that it generates the data and no need to download the junk data from the internet.

6) Encryption
Gears stores all the data in plain text and does not encrypt anything in the database or local server, so all your data can be compromised if a user grabs a copy of your .db files.

7) Good news for Forensics Investigators
The adoption of Gears or infact the online/offline applications is good because forensics investigators don't have to mess with password protected office files, no need to deal with encryption, forensics investigators will even have revision copies of the documents because its all there in the database file and everything is logged with timestamps, so you can even track and reconstruct a case of when the file was copied, edited, etc.

8) Gears Applications
At this point of time major Gears applications are Google Reader and Zoho Writer, but soon Google calendar, Gmail, Google Docs are rumored to be available so there will lot of more un-encrypted data on the hard drive to help crime fighters and forensics investigators.

9) New Attack avenues
Google Gears uses UFBP (Universal Firewall Bypass Protocol) called HTTP and there are lots of new attacks coming up everyday and because of Google Apps the usage is going to grow and HTTP is always allowed in companies and monitoring it is also a bigger challenge.

10) Malware
Once an attacker has access to the database, he can use javascript malware to load everytime, do virus infections and deliver malware. We recently saw how client-side javascript can be used to scan networks and in the near future gears can be used to deliver malware.

11) Worker Process Abuse
Worker process is supposed to sync data and do normal processing but what if an attacker finds a way to abuse it to scan machine in your intranet or create a DOS condition ?

12) Password Protection
You cannot password protect your files when they are offline like in Microsoft Office.

13) Implications on the server
I have not figured out much on this topic but Gears can also be used to put more stress on the server, of course a single gears installation cannot do much to the cloud servers but a massive attack consisting of hundreds of users sending junk data to the server can have nasty outcome.


-Abhiz

No comments: