What are the risks of Storing Credit Card / Bank Account Information in LocalStorage?
Question
I recently noticed a bill pay website I was using seemed to be storing my bank account and credit card number in my browser's LocalStorage. The data is stored in JSON object that gets stringified into LocalStroage. There is no special encoding, obfuscation, or encryption of the data.
While this was very off-putting initially and definitely seems like a substandard engineering practice, I'm having trouble thinking of ways this implementation could be meaningfully hacked:
- Since the site was HTTPS, a man-in-the-middle attack could not inject malicious JavaScript to read out of LocalStorage.
- LocalStorage is not shared on the same domain between HTTP and HTTPS, so that would rule out script injection over non-SSL connections.
- If the web app failed to sanitize user-submitted content, perhaps a malicious script could be injected to steal data from LocalStorage, but it could also steal this data from JavaScript's memory directly. Thus, the risk level is no different using LocalStorage.
- A malicious browser plugin could perhaps read the data out of LocalStorage, but that's really no different from the risk that a malicious plugin could scrape the data off the web page or read it from JavaScript memory.
- If the user logged into this site on a public computer, it's plausible someone could steal their payment data out of LocalStorage. But that wouldn't be too different than someone stealing their data off the screen had they left themselves logged into the application. I'm assuming that LocalStorage gets cleared upon log out (which might be an overly generous assumption here).
What other security vulnerabilities are opened up by this practice?
1 answers
solution1
2 ACCPTED 2018-04-26 18:11:16
If the web app failed to sanitize user-submitted content, perhaps a malicious script could be injected to steal data from LocalStorage, but it could also steal this data from JavaScript's memory directly. Thus, the risk level is no different using LocalStorage.
I disagree. It makes a big difference if a script has to be injected into a very specific web page to be able to get access to user entered sensitive data or if the JavaScript can be injected on any page on that host and simply access the LocalStorage and send the data somewhere. In the latter case one page that is accessed by the user at any point is sufficient for the attack.
Furthermore you have to take into account that the LocalStorage is usually stored in plain text by the web browser.
IMHO the only way to store sensitive data in the LocalStorage is to let the server encrypt it using an authenticated cipher using a user-specific key that is only known by the server. If afterwards the data should be used again, the client could sent it to the server and the server can the decrypt it and use it. Of course the sensitive part should never ever be sent back to the client (eg as pre-filled form on a web page).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.