HTML 5 bug allows huge data dumps on most Mac and PC Web browsers

Posted:
in General Discussion edited January 2014
A recently discovered flaw in the HTML 5 coding language could allow websites to bombard users with gigabytes of junk data, with a number of popular browsers being open to the vulnerability.

According to developer Feross Aboukhadijeh, who uncovered the bug this week, data dumps can be performed on most major Web browsers, including Apple's Safari, Google's Chrome, Microsoft's Internet Explorer and Opera, the BBC reported. The only browser to stop data dump tests was Mozilla's Firefox, which capped storage at 5MB.




Exploit proof of concept video. | Source: Feross Aboukhadijeh


The problem is rooted in how HTML 5 handles local data storage. While each browser has different storage parameters, many of which support user-definable limits, all provide for at least 2.5 megabytes of data to be stored on a user's computer.

Aboukhadijeh discovered a loophole that bypasses the imposed data cap by creating numerous temporary websites that are linked a user-visited site. Because most browsers don't account for the contingency, the secondary sites were allowed local storage provisions in amounts equal to the primary site's limit. By generating a multitude of linked websites, the bug can dump enormous amounts of data onto affected computers.

In testing the flaw, Aboukhadijeh was able to dump 1GB of data every 16 seconds on his SSD-equipped MacBook Pro with Retina display. He noted that 32-bit browsers like Chrome may crash before a disk is filled.

"Cleverly coded websites have effectively unlimited storage space on visitor's computers," Aboukhadijeh wrote in a blogpost.

The developer has released code to exploit the bug and has created a dedicated website called Filldisk to highlight the flaw. In true internet meme fashion, the site dumps images of cats on to an affected machine's hard drive.

Bug reports have already been sent to makers of the affected Web browsers, and Aboukhadijeh said malicious use of his code has yet to been seen in the wild.
«13

Comments

  • Reply 1 of 46
    tallest skiltallest skil Posts: 43,399member


    Watch Adobe play this up big time.

  • Reply 2 of 46
    MarvinMarvin Posts: 14,195moderator
    The developer has released code to exploit the bug and has created a dedicated website called Filldisk to highlight the flaw. In true internet meme fashion, the site dumps images of cats on to an affected machine's hard drive.

    Bug reports have already been sent to makers of the affected Web browsers, and Aboukhadijeh said malicious use of his code has yet to been seen in the wild.

    Nice of him to release this to the public before any of the browser developers can fix it.
  • Reply 3 of 46
    I like how it emphasizes his "his SSD-equipped MacBook Pro with Retina display". Whether or not he has an SSD or what kind of display is completely irrelevant to the bug. I have one of those machines also, but I'm not talking to people like "hey, can you shoot me an email to my SSD-equipped MacBook Pro with Retina display, BTO with extra features btw, sitting on an expensive table in my spacious 5th Avenue apartment, in front of the Van Gogh?".

    There are also no retina MBPs without an SSD.
  • Reply 4 of 46


    i must know the name of that song on the video!

  • Reply 5 of 46
    sockrolidsockrolid Posts: 2,788member
    I can haz fill disk?
  • Reply 6 of 46

    Quote:

    Originally Posted by UncleOwn View Post



    I like how it emphasizes his "his SSD-equipped MacBook Pro with Retina display". Whether or not he has an SSD or what kind of display is completely irrelevant to the bug. I have one of those machines also, but I'm not talking to people like "hey, can you shoot me an email to my SSD-equipped MacBook Pro with Retina display, BTO with extra features btw, sitting on an expensive table in my spacious 5th Avenue apartment, in front of the Van Gogh?".



    There are also no retina MBPs without an SSD.


     


    It's just another embarrassment for Apple. Time for Tim Cook to step down! /s

  • Reply 7 of 46
    ciparisciparis Posts: 87member
    There is a well-known (to developers) feature of HTML5 that is designed to allow web applications to store data locally; it can be used for storing parts of the app (so you don't have to re-download them later), catalog data, big images -- whatever you want. Every browser has controls allowing you to delete this data.

    The fact that it performs exactly that function is hardly a bug. It's arguable that various (among different browsers) built-in size limits should be domain-specific rather than host-specific, but this is really not a particularly earth-shattering distinction; using additional domains to get access to more storage space doesn't require much more "cleverness" than using additional hostnames.

    I don't know whether Aboukhadijeh is an attention whore, or whether click-craving sites are so desperate for traffic that they'll post whatever sensational-sounding "security" story they come across, regardless of whether they have the slightest idea what it means. It's sensationalist nonsense, either way.
  • Reply 8 of 46
    charlitunacharlituna Posts: 7,198member
    So this video allegedly proves it can be done with Chrome

    What about the other browsers. Where is the proof for those

    And what is the super huge issue. Is there some flaw that lets websites dump data into our computers and then come back and retrieve it, or possibly something else off our computers. Or is this just cached data that we can dump out like all other caches, ending the whole thing and the browser crashing. That is until a point update in the affected and allegedly affected browsers kills the issue.
  • Reply 9 of 46
    macxpressmacxpress Posts: 4,704member


    Apple better block Safari and Chrome now....They block everything else for their users. 

  • Reply 10 of 46
    jblongzjblongz Posts: 146member

    Quote:

    Originally Posted by UncleOwn View Post



    I like how it emphasizes his "his SSD-equipped MacBook Pro with Retina display". Whether or not he has an SSD or what kind of display is completely irrelevant to the bug. I have one of those machines also, but I'm not talking to people like "hey, can you shoot me an email to my SSD-equipped MacBook Pro with Retina display, BTO with extra features btw, sitting on an expensive table in my spacious 5th Avenue apartment, in front of the Van Gogh?".



    There are also no retina MBPs without an SSD.


    I think this was mentioned to demonstrate how fast the data dumped to the drive.  1GB in 16secs

  • Reply 11 of 46
    tallest skiltallest skil Posts: 43,399member


    Originally Posted by macxpress View Post

    They block everything else for their users. 


     


    The implication being that you want unsafe plugins destroying your personal data, forcing Apple to be liable for something they're not.

  • Reply 12 of 46
    jragostajragosta Posts: 10,473member
    i must know the name of that song on the video!

    Shazam is amazing.

    Trololo by Eduard Khil
  • Reply 13 of 46
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by JBlongz View Post




    Quote:

    Originally Posted by UncleOwn View Post



    I like how it emphasizes his "his SSD-equipped MacBook Pro with Retina display". Whether or not he has an SSD or what kind of display is completely irrelevant to the bug. I have one of those machines also, but I'm not talking to people like "hey, can you shoot me an email to my SSD-equipped MacBook Pro with Retina display, BTO with extra features btw, sitting on an expensive table in my spacious 5th Avenue apartment, in front of the Van Gogh?".



    There are also no retina MBPs without an SSD.


    I think this was mentioned to demonstrate how fast the data dumped to the drive.  1GB in 16secs



    How do you figure since regular hard drives can write data at around 3GB/s?

  • Reply 14 of 46
    anantksundaramanantksundaram Posts: 18,871member
    Marvin wrote: »
    The developer has released code to exploit the bug and has created a dedicated website called Filldisk to highlight the flaw. In true internet meme fashion, the site dumps images of cats on to an affected machine's hard drive.

    Bug reports have already been sent to makers of the affected Web browsers, and Aboukhadijeh said malicious use of his code has yet to been seen in the wild.

    Nice of him to release this to the public before any of the browser developers can fix it.

    Why shouldn't he want -- indeed, deserve -- his fifteen minutes of fame?

    You'd think that the supposedly smart smart people in these gazillion-billion dollar corporations would not leave something so seemingly stupidly vulnerable in something as basic and ubiquitous as a browser.

    Hooray for little Firefox.....
  • Reply 15 of 46
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by Tallest Skil View Post


    Watch Adobe play this up big time.



    Why? 

  • Reply 16 of 46
    kdarlingkdarling Posts: 1,640member

    Quote:

    Originally Posted by ciparis View Post



    There is a well-known (to developers) feature of HTML5 ...


    Every browser has controls allowing you to delete this data.  ...


    I don't know whether Aboukhadijeh is an attention whore, or whether click-craving sites are so desperate for traffic that they'll post whatever sensational-sounding "security" story they come across, regardless of whether they have the slightest idea what it means. It's sensationalist nonsense, either way.


     


    This.  The situation is known to HTML5 developers.  The W3C also has a spec to prevent it, which just hasn't been implemented outside of Firefox yet.


     


    As for implementation, you could also change just the port number, and HTML5 gives you another storage space set as well.


     


    Quote:


    Originally Posted by charlituna


    And what is the super huge issue. Is there some flaw that lets websites dump data into our computers and then come back and retrieve it, or possibly something else off our computers.



     


    They can't steal anything.  This is just about filling up the hard drive with HTML5 storage, after which you can go to the options on any browser and delete it manually.


     


    Hmm.  So another thing that should be implemented in browsers to prevent this, might be a setting for max portion of hard drive to allocate for localstorage, just like they do for web page caching.

  • Reply 17 of 46
    MacProMacPro Posts: 17,866member
    mstone wrote: »
    How do you figure since regular hard drives can write data at around 3GB/s?

    Please tell me where you get your 3 GB/s Hard drives I really want one!
  • Reply 18 of 46
    mdriftmeyermdriftmeyer Posts: 7,194member
    ``The problem is rooted in how HTML 5 handles local data storage.''

    FYI: Local Data Storage implementations are just in the early stages of being ready to role outside of nightly builds for WebKit and/or Mozilla, not to mention IE.

    These boundary conditions will be put in place.

    Making this an AI fluff piece is pathetic.
  • Reply 19 of 46
    mstonemstone Posts: 11,510member

    Quote:

    Originally Posted by digitalclips View Post




    Quote:

    Originally Posted by mstone View Post



    How do you figure since regular hard drives can write data at around 3GB/s?




    Please tell me where you get your 3 GB/s Hard drives I really want one!


    Sorry that should be Gbits not bytes and as I just looked it up, 3Gb is the theoretical maximum write speed for SATA II so practically speaking it would be quite a bit less however it could be pointed out that even at the easily attainable 150 MB per second, the HDD is still plenty fast enough to write 1GB in a lot less than 16 seconds so the specification of SSD mentioned in the article is still irrelevant. 

  • Reply 20 of 46
    rednivalrednival Posts: 331member

    Quote:

    Originally Posted by Tallest Skil View Post


    Watch Adobe play this up big time.



     


    Flash has web site storage.  The problem, as described, would very likely exist in Flash's own storage engine.  


     


     


    Mozilla, on the other hand, has every right to brag and play this up. I do not think Mozilla will though.  

Sign In or Register to comment.