Websites that accidentally distribute rogue code could find it harder to undo the damage if attackers exploit widespread browser support for HTML5 local storage and an increasing tendency for heavy users of Web apps never to close their browser.
If browsers don’t provide a mechanism for websites to securely recover from certain cross-site scripting attacks, the attacks could become invincible and the site at the origin of the attack remain compromised indefinitely, warned vulnerability researcher and Google security engineer Michal Zalewski.
A normal response to XSS attacks is to patch the vulnerability, invalidate session cookies so everyone must re-authenticate, and optionally force a password change. But this is not enough, because once compromised a Web origin can stay tainted indefinitely, Zalewski said.
“At the very minimum, the attacker is in full control for as long as the user keeps the once-affected website open in any browser window; with the advent of portable computers, it is not uncommon for users to keep a single commonly used website open for weeks,” he said. “During that period, there is nothing the legitimate owner of the site can do — and in fact, there is no robust way to gauge if the infection is still going on.”
In essence, there is no way for websites to ensure their users no longer feel the affects of an XSS attack. Still, one would think that such an attack would stop at some point without the website’s intervention, such as when closing the tab or the browser, but as it turns out, that’s not necessarily the case.
There are several methods that attackers can use to extend their hold on a compromised origin pretty much indefinitely, Zalewski said.
If Facebook was the target of such an exploit, then given the way users constantly open new pages from the site, or external websites carrying Facebook Like buttons, the compromise could go on for as long as one of those pages remained open.