March 04, 2013

HTML5 Loophole Lets Malicious Websites Fill Users’ Hard Drives

The use of HTML5 in cloud-based Web applications might appear to save space on a user’s hard drive, but one developer has found a loophole that would allow malicious websites to fill up a hard drive instantly.

The key to the exploit is the ability of HTML5 sites to store data on hard drives, the way a desktop application would.

Feross Aboukhadijeh, a graduate student at Stanford, has uncovered the exploit. HTML5 allows sites to store more data than they could in the traditional cookie, which allow allowed a few kilobytes.

The HTML5 draft standard does not mandate the exact amount of data sites are allowed to store on users’ hard drives, but advises browser developers to stick to sensible limits of around 5 MB.

Different browsers have different limits. Google (News Alert) Chrome allows only 2.5 MB of storage per domain. Firefox and Opera allow 5 MB per domain, and Internet Explorer allows sites to store 10 MB of data.

These look like reasonable amounts of information to store, but Aboukhadijeh has discovered that most browsers count subdomains as separate sites, allowing malicious coders to create an infinite array of subdomains, each with the maximum amount of data the browser allows.

It’s effectively a denial of service (DoS) attack.

Aboukhadijeh has created a proof-of-concept site,, to demonstrate the vulnerability.

“Oh hai there… Filling your hard disk with lots of cats…” a message says on the page, while the Russian song “I Am Glad, ‘Cause I’m Finally Returning Back Home,” better known to millions of Internet users as “the Trololo song” plays in the background. A counter shows how much space is being taken up.

To reclaim their hard drive space, users can click a button reading “Stop the madness!” The exploit works in Google Chrome, Safari, Opera and Internet Explorer. Firefox is apparently immune to the attack.

Aboukhadijeh encourages users of affected browsers to file bug reports so the vendors fix this problem quickly.

Edited by Braden Becker


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More