Uploaded image for project: 'Hue (READ ONLY)'
  1. Hue (READ ONLY)
  2. HUE-9608

Sensitive Information Stored in Local Storage

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.8.0
    • Fix Version/s: None
    • Component/s: core.ui
    • Labels:
      None
    • Backward Incompatible:
      Backward Incompatible

      Description

      Problem Statement  : Local Storage is known as Web Storage or Offline Storage is a mechanism to store data as key/value pairs tied to a domain and enforced by the same origin policy (SOP). Local storage is persistent and is intended to survive browser/system reboots.

      Exploitability

      HTML5 Local Storage suffers from the following limitations:

      • By default, local storage persists between session
      • Session information stored in local storage cannot be protected from Cross Site Scripting attacks like cookies (i.e. HTTPOnly)
      • Sensitive data cached by a web browser can expose data in shared environments.

      This attack requires access to the browser’s local storage by compromising the victim user’s computer through malicious software or using a common, shared workstation on which victim has previously logged in to the application in question. The local storage does not get deleted after an explicit logout nor when the browser gets closed.

      Currently HUE save's below information in the localStorage : 

      • Database name
      • User’s last action
      • Application user names

      though these information are not sensitive , we should either provide an way to mask or disable it

      proposal 1 : i am proposing the use of secure-ls : https://www.npmjs.com/package/secure-ls
      to mask and compress the data stored in localStorage .

      Proposal 2: I am proposing an new config under : [desktop][[custom]] disable_localStorage =false in hue.ini which allows to disable the usage of localStorage , the value will be false by default, customer can make it true if they don't want to use localStorage feature.

      .

       

        Attachments

          Activity

            People

            • Assignee:
              asnaik Akhil S Naik
              Reporter:
              asnaik Akhil S Naik
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: