I recently noticed a bill pay website I was using seemed to be storing my bank account and credit card number in my browser's LocalStorage. The data is stored in JSON object that gets stringified into LocalStroage. There is no special encoding, obfuscation, or encryption of the data.
While this was very off-putting initially and definitely seems like a substandard engineering practice, I'm having trouble thinking of ways this implementation could be meaningfully hacked:
What other security vulnerabilities are opened up by this practice?
If the web app failed to sanitize user-submitted content, perhaps a malicious script could be injected to steal data from LocalStorage, but it could also steal this data from JavaScript's memory directly. Thus, the risk level is no different using LocalStorage.
I disagree. It makes a big difference if a script has to be injected into a very specific web page to be able to get access to user entered sensitive data or if the JavaScript can be injected on any page on that host and simply access the LocalStorage and send the data somewhere. In the latter case one page that is accessed by the user at any point is sufficient for the attack.
Furthermore you have to take into account that the LocalStorage is usually stored in plain text by the web browser.
IMHO the only way to store sensitive data in the LocalStorage is to let the server encrypt it using an authenticated cipher using a user-specific key that is only known by the server. If afterwards the data should be used again, the client could sent it to the server and the server can the decrypt it and use it. Of course the sensitive part should never ever be sent back to the client (eg as pre-filled form on a web page).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.