March 04, 2013

How HTML5 Can Turn Data into a Bad Monster Movie

For those out there who remember “The Blob”— either the remake or the original — it’s not hard to remember how that giant mass of goo engulfed just about everything it came across. In a recent, and somewhat disturbing, development, a vulnerability in HTML5 turns data into a similar goo-like problem, except this time, the target is empty hard drive space. A computer science student named Feross Aboukhadijeh demonstrated the vulnerability, and its sheer insidious nature that could well turn a hard drive into a platter completely engulfed with cat photos.

Aboukhadijeh set up a website called, which demonstrates the proof of concept he established, and shows just how a user’s hard drive could be suddenly engulfed with data thanks to HTML5’s vulnerabilities. Most browsers put a bit of a limit on the amount of space that any one website can take up. For instance, Google (News Alert) Chrome stops its site load at 2.5 megabytes, while Internet Explorer allows for 10 megabytes. HTML5 standards, meanwhile, dictate that the stash should apply to all affiliated sites.

But in the case of most browsers—Firefox actually seems unaffected by this issue thanks to a whole different way of treating the space rule—the affiliated site rule doesn’t apply. This in turn means that, as long as a site can put up affiliates, it can take advantage of that stashing rule to, over and over again, fill the hard drive up to its limit, then set up a new affiliate to take up the limit again and again and again until the hard drive is as engulfed as, once again, anyone in either version of “The Blob.”

In’s case, the stuff that gets on a user’s hard drive is cat pictures. Tons of cat pictures. However, will return the space it takes up when asked to do so, something that less scrupulous sites may not do. Aboukhadijeh has already alerted Chrome and Safari by logging the bug, meaning that chances are good a fix will be arriving in short order for these browsers. IE users, meanwhile, may be in for some trouble since the bug fix link appears to be dead at last report.

This could have been disastrous, had it gone on too long, but thankfully the issue seems well on its way to being repaired; at least everywhere except for Internet Explorer. But hopefully, IE will catch up on the issue and get some repairs going itself. There is plenty of potential to be had in HTML5, but considering some of the vulnerabilities, bugs, and similar issues in HTML5 is worthwhile for reasons precisely like this one.

Therefore, the best solution here would seem to be to just keep an eye out for updates—maybe switch to Firefox in the short term—and, as ever, exercise a bit of care when going out online.


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More