Details
-
Type: Bug
-
Status: Resolved
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: 4.8.0
-
Fix Version/s: None
-
Component/s: core.ui
-
Labels:None
-
Backward Incompatible:Backward Incompatible
Description
Problem Statement : Local Storage is known as Web Storage or Offline Storage is a mechanism to store data as key/value pairs tied to a domain and enforced by the same origin policy (SOP). Local storage is persistent and is intended to survive browser/system reboots.
Exploitability
HTML5 Local Storage suffers from the following limitations:
- By default, local storage persists between session
- Session information stored in local storage cannot be protected from Cross Site Scripting attacks like cookies (i.e. HTTPOnly)
- Sensitive data cached by a web browser can expose data in shared environments.
This attack requires access to the browser’s local storage by compromising the victim user’s computer through malicious software or using a common, shared workstation on which victim has previously logged in to the application in question. The local storage does not get deleted after an explicit logout nor when the browser gets closed.
Currently HUE save's below information in the localStorage :
- Database name
- User’s last action
- Application user names
though these information are not sensitive , we should either provide an way to mask or disable it
proposal 1 : i am proposing the use of secure-ls : https://www.npmjs.com/package/secure-ls
to mask and compress the data stored in localStorage .
Proposal 2: I am proposing an new config under : [desktop][[custom]] disable_localStorage =false in hue.ini which allows to disable the usage of localStorage , the value will be false by default, customer can make it true if they don't want to use localStorage feature.
.