The use of HTML5 in cloud-based Web applications might appear to save space on a user’s hard drive, but one developer has found a loophole that would allow malicious websites to fill up a hard drive instantly.
The key to the exploit is the ability of HTML5 sites to store data on hard drives, the way a desktop application would.
Feross Aboukhadijeh, a graduate student at Stanford, has uncovered the exploit. HTML5 allows sites to store more data than they could in the traditional cookie, which allow allowed a few kilobytes.
The HTML5 draft standard does not mandate the exact amount of data sites are allowed to store on users’ hard drives, but advises browser developers to stick to sensible limits of around 5 MB.
Different browsers have different limits. Google (News
– Alert) Chrome allows only 2.5 MB of storage per domain. Firefox and Opera allow 5 MB per domain, and Internet Explorer allows sites to store 10 MB of data.
These look like reasonable amounts of information to store, but Aboukhadijeh has discovered that most browsers count subdomains as separate sites, allowing malicious coders to create an infinite array of subdomains, each with the maximum amount of data the browser allows.
It’s effectively a denial of service (DoS) attack.
Aboukhadijeh has created a proof-of-concept site, Filldisk.com, to demonstrate the vulnerability.
“Oh hai there… Filling your hard disk with lots of cats…” a message says on the page, while the Russian song “I Am Glad, ‘Cause I’m Finally Returning Back Home,” better known to millions of Internet users as “the Trololo song” plays in the background. A counter shows how much space is being taken up.
To reclaim their hard drive space, users can click a button reading “Stop the madness!” The exploit works in Google Chrome, Safari, Opera and Internet Explorer. Firefox is apparently immune to the attack.
Aboukhadijeh encourages users of affected browsers to file bug reports so the vendors fix this problem quickly.
Edited by
Braden Becker