Google Gears, as you may have heard, is a browser extension that lets you develop applications that can run offline. If you haven't already, try out the sample applications to get a feel for the functionality Google Gears has to offer. You can even use it to read Google Reader offline.
It's a good idea to brain-storm in the possible security implications of Google Gears because it facilitates web code to act upon the user's local disk (sand-boxed with the browser's same origin policy). I've spent a few minutes looking at the architecture, and here are my initial thoughts:
- It is great that the documentation warns users about SQL Injection, and recommends the use of parameterized SQL instead. Google is doing the right thing here, because they cannot prevent the construction of JavaScript strings that accept user input to construct SQL statements (dynamic SQL). All they can do at this point is warn the developers. This will save a lot of developers who go through the documentation from doing the wrong thing.
- I like the fact that the Gears plugin asks the user's permission when a website attempts to use the plugin.
- It will be interesting to see what sort of data application developers will store offline using Google Gears. A simple XSS (Cross Site Scripting) vulnerability in a application can easily expose the offline information. It is true that if an application is vulnerable to XSS, it is not Google Gears' fault. However, Gear's SQL based API may make it easier for a XSS attack to pull or manipulate data from the victim's Gears database.
- The database API is quite restricted at the moment (Gears is still Beta). It will be interesting to see what enhancements future versions of Gears will have, and if they contribute to additional attack vectors. Should there be a vulnerability in the Gears' plugin or the browser itself (see A Remote Vulnerability in Firefox Extensions for example), the user's local disk may be at stake.
- I don't see any restrictions on how big the Gears database can get. There is no option to configure the Gears browser extension to restrict the size of a database. This may contribute to a denial of service attack by a rogue website (this is perhaps less likely because the Gears extension asks the user's permission before allowing the site to use the Gears API), or by a attack exploiting a XSS vulnerability in a website that uses Gears.
- There is no API to facilitate the encryption of the offline data. Perhaps this will be added at a later time.
I like the concept of Google Gears. I think it's a great idea. Just like everything in life, the increased functionality it provides is not without increased risk. If I had to pick from the list above, I'd guess that we are most likely to hear of existing XSS or browser vulnerabilities being abused to steal (or manipulate) Gears databases.