Why LocalStorage is not secure?

Question

If a site is vulnerable to XSS, LocalStorage is not safe Local storage shares many of the same characteristics as a cookie, including the same security risks. One of those is susceptibility to cross-site scripting, which steals cookies to let hackers masquerade as a user with their login session for a site. 30 янв. 2020 г.

Why is local storage not safe?

XSS attacks allow attackers to inject client-side scripts into Web pages viewed by other users. If someone injects their own JavaScript code into your website, they can retrieve all the data stored in the LocalStorage and send it anywhere. All sensitive data stored in LocalStorage can be stolen.

Is it safe to use LocalStorage?

No. localStorage is accessible by any webpage, and if you have the key, you can change whatever data you want. That being said, if you can devise a way to safely encrypt the keys, it doesn't matter how you transfer the data, if you can contain the data within a closure, then the data is (somewhat) safe.

Can LocalStorage be hacked?

Local storage is bound to the domain, so in regular case the user cannot change it on any other domain or on localhost. It is also bound per user/browser, i.e. no third party has access to ones local storage. Nevertheless local storage is in the end a file on the user's file system and may be hacked.

Should LocalStorage be encrypted?

If you're using a global secret for encryption, ensure to not expose “ls” to the window object as there could be a risk for exposing your secret . It is therefore recommended to only encrypt data that really needs to be encrypted (i.e. not use global encryption if “ls” is exposed to the window object).

Expert · Answer