Fraudsters say thanks for the memory
Although many people are unaware of it, there is a serious security issue that affects how the world's most popular web browsers store your data, according to Rogan Dawes, Principal Security Consultant for independent consultants, Corsaire
Although few people are aware of it, a common computer technique known as "caching", where a temporary storage area is used to allow rapid access to frequently accessed data, is putting both businesses and consumers at risk of a serious security breach. The problem is caused by the fact that sensitive data is routinely being stored by the user's Web browsing software – often without their knowledge.
Although many people still believe that only users of shared systems, web-cafés, kiosks and other public locations are affected by this potential threat, insecure caching is increasingly having a serious impact on business users in particular, especially since web browsers have become a prime target for hackers.
Modern web browsers use caching technology to store previous responses from web servers, such as web pages, in order to reduce the amount of information that needs to be transmitted across the network. Since information previously stored in the cache can often be re-used, this approach reduces the bandwidth and processing requirements of the web server, and therefore helps to improve both speed and responsiveness for Internet users.
However, there are two key reasons that Internet users may want to prevent this kind of data storage: either to prevent any sensitive information from being stored inadvertently, and/or to ensure that they are always viewing the most current information available, since cached copies of web sites may contain out-of-date data.
For both of these reasons, caching is something that businesses, in particular, need to get right from both a performance and security perspective, as the caching of data in the browser – and the ability to keep potentially sensitive data from being stored in the cache – is paramount to information security. It is therefore in the application developer's interest to tag data correctly – in order to prevent its exposure – and in the users' interest to ensure that their data remains private.
As part of a recent white paper on the subject, called Cache for Questions, we examined the risk of sensitive data being stored in a user's web browser, as well as the variations that exist in different web browsers and the effectiveness of the mitigations currently being recommended. This study also looked at the shortfalls in both browser security and the common wisdom in this area, and considered what remediation could be applied to keep both personal and business data safe.
Having completed this research, and after conducting security assessments of web applications and technologies for over a decade, it has become clear that web browsers are inconsistent and insecure in their operation relating to cache behaviour. Unfortunately, the guidelines and standards being used to combat this problem are often conflicting, and routinely include assumptions, misinterpretations and mistakes. To make matters worse, the security breaches being caused as a result are largely invisible to end-users and service providers, which makes the problem even more dangerous.
At the same time, a growing number of lost and stolen laptops, as well as an abundance of second-hand systems and hard-drives, are now being sold via the Internet on auction sites. Unfortunately, once purchased, this equipment is liable to be picked over by individuals who know that local caches can often provide a rich source of valuable information.
Although some users think that they can enhance their security by simply deleting their browsing history, this single step alone is simply not enough. A browser's cache is still a valuable store of information. For example, a JavaScript file (which is generated dynamically when requested) often contains a unique tracking ID, and can live permanently in the browser's cache when labelled with the right HTTP cache-control headers.
This JavaScript file can then be accessed by external pages and – because the script is never re-requested – it keeps the same unique ID, which means that it can call upon resources on the server-side in order to track the user. A hacker would just need to associate this unique ID with the user's account once (when he/she logs in for the first time, after the ID was created) in order to set "cookies" (the short lines of text that a web site puts on a computer's hard drive when a user accesses the site) and track any activity easily. The result is that the users can be tracked uniquely, even after they have cleared any cookies.
Even though modern browsers typically have "privacy" tools for clearing caches, the vast majority of users still do not understand how or when to use them. Plus, most web browsers lack efficient cache disposal controls (compared to their ability to delete "cookies"), which means that this whole area requires more attention.
At the moment, a user's web browser can easily be tagged and tracked using a unique identifier which lives in the web browser's cache for a very long time (using HTTP cache control headers and the browser's use of conditional "GET" requests to ask the server for a document that matches specific parameters). As a result, we believe that it is in the interests of both consumers and businesses to ensure that sensitive data is not persistently "cached" in the first place.
In actual fact, it is not very difficult to prevent a web browser from caching pages to disk. However, if you ask ten developers how to prevent the caching of a resource served via HTTP, you'll probably get ten different answers. Advice abounds on the Internet, but it's inconsistent and outdated in many cases.
For all of these reasons, there is a temptation in some quarters to restrict access to specific browsers or even versions of browsers. This approach, however, is counter-productive for a number of reasons, not least of which is the fact that many browsers give the user the ability to masquerade as an alternate anyway.
Instead, applications should be developed in line with the W3C standards for maximum compatibility and – even though providers should be aware of the variations and inconsistencies and where possible to accommodate them – responsibility in this area must ultimately be shared with both browser developers, application developers and end users.
What can users do to protect themselves from this issue? Users should periodically clear their browser's cache, to ensure that no sensitive data remains.
Rogan Dawes, Principal Security Consultant, Corsaire.
