Hello, welcome to the Friday, April 3, 2020 edition of the Sansonet Storm Center.

Stormcast, my name is Johannes, Ulrich, and then I'm recording from Jacksonville, Florida.

Running complex web applications on shared devices has always been a little bit tricky because a lot of modern web applications are storing

data on the client in order to achieve a more seamless and more responsive user experience.

Well, Twitter was no exception and apparently they didn't quite understand how Firefox is dealing with this data.

Now, the application of course can also delete data itself or it can rely on the browser to do so.

Apparently Firefox is keeping data that the application stored within the browser for seven days.

And in Twitter's case, this data included, for example, private messages.

So no big deal really if you are the only user of the particular computer, but if you're

sharing this computer and other authorized user would be able to retrieve

these messages from the cache on the system. It's actually an issue that we talk about in our

defending web application class, in particular when it comes to local storage, sort of a JavaScript

API that's quite often used for this kind of storage.

But then again, I believe there are plenty of applications other than Twitter out there

that are storing too much data on the browser.

And it's probably a good idea to occasionally just clear out the data.

This is data that's stored in addition to cookies.

So this does not necessarily mean just cookies, but definitely includes cookies as well.

And if you were around 17 years ago, you may remember SQL Slammer, one of the big warms

that, well, attacked Microsoft SQL Server.

Sadly, I guess we haven't learned since then, and people still expose Microsoft SQL server

to the internet.

...