Google Gears: A bit unsafe?

Google has recently presented Google Gears, a local DB storage system that currently allows to read feeds offline, and will be used in Google Docs and probably other services in the near future.

I tried it for some days, but I've actually uninstalled it, because it feels a bit unsafe for me.

First, on the online side there are possible XSS flaws that could be exploited. SQL Injection was feared too, but seems that the Gears DB API uses blind parameters inmune to SQLI.

And second, the data is located in a SQLite database, without any authentication. You can open them with SQLite Database Browser for example.

Right now an attacker would just get your feeds data, but what if GMail and Google Docs went offline too? Then it could be able to get more sensitive data... And that's something I don't like to be afraid of.

I hope they add additional security, because the tool itself is useful.

Posted by Kartones on 2007-06-10


Share via: Twitter Linkedin Google+ Facebook