Modern applications like offline Gmail are vulnerable to SQL injections

Michael Sutton, vice president of research at web security firm Zscaler, conducted a study that showed the new technologies allowing Internet subscribers to use web-based services even when they are offline make users vulnerable to new attacks. Today offline web applications are gaining high popularity in large part due to Gears, an open-source project spawned by Google that allows data normally stored on a webserver to be stashed instead on end users' computers.

As it is known now Gmail users can read and write email even when they're not connected to the interwebs. Like almost all other offline web applications, offline Gmail works by creating the equivalent of a relational database on the client PC. The result: a single cross-site scripting (XSS) error or SQL injection vulnerability on the web server is all it takes to gain full access to the contents, says Sutton.

"It really changes the landscape from an attacker's perspective," Sutton says. "I as an end user can have a fully patched system surfing a reputable site and still be vulnerable because there is a weakness on the page I'm viewing. You are actually made vulnerable if the site has a vulnerability in it."

"These are cool technologies, and they should be adopted," he says. "But you have to understand the risk. It increases the level of risk, and you also need to increase the level of testing to secure it."