21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache 118

Posted by samzenpus on Thursday June 20, 2013 @02:56AM from the out-in-the-open dept.

An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache

This discussion has been archived. No new comments can be posted.

Search 118 Comments Log In/Create an Account

Comments Filter:

"Despite Using SSL" (Score:3, Insightful)

by Anonymous Coward writes: on Thursday June 20, 2013 @03:04AM (#44058061)

What does SSL have to do with what happens to the data once it's local?
I understand that most people are clueless, but this is slashdot still, right? I haven't stumbled upon some other site on which to dig up TFA (not that I've read it).

Scaremongering (Score:2, Insightful)

by YA_Python_dev ( 885173 ) writes: on Thursday June 20, 2013 @03:14AM (#44058093) Journal

This is BS. If an attacker has access to your files in your local disk, they have already won.

Reading fail (Score:3, Insightful)

by wonkey_monkey ( 2592601 ) writes: on Thursday June 20, 2013 @04:15AM (#44058301) Homepage

but many of the sites are sending non-standard headers recognized only by Internet Explorer
Still, you got paid, what do you care?

Re:This is actually a very bad idea, if true (Score:4, Insightful)

by bloodhawk ( 813939 ) writes: on Thursday June 20, 2013 @05:26AM (#44058543)

The real problem here is the standard is just plain retarded. Even though I hate Apple I think their approach is the lesser evil. The default should be don't cache, web servers should then be able to enable caching if they want to sacrifice some security for performance (assuming the user hasn't explicitly disabled caching). It would be nice to be able to rely on users having well managed machines or the internet being made up of mostly well managed servers but lets face it that aint happening anytime soon in anything but well run enterprises and IT literate end users.

Re:This is actually a very bad idea, if true (Score:5, Insightful)

by anegg ( 1390659 ) writes: on Thursday June 20, 2013 @07:51AM (#44059149)

Note that the claim is that Safari doesn't cache to DISK, not that Safari doesn't cache. I.e., Safara doesn't store information that was deemed sensitive enough to require a secure channel on a long-term (probably unencrypted) storage medium.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache 118

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache More Login

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache

"Despite Using SSL" (Score:3, Insightful)

Scaremongering (Score:2, Insightful)

Reading fail (Score:3, Insightful)

Re:This is actually a very bad idea, if true (Score:4, Insightful)

Re:This is actually a very bad idea, if true (Score:5, Insightful)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot