Flaw in HTML5 allows websites to bombard you with data until your hard drive is full

2013-02-28_233402

So you thought you would be safer with Flash gone and HTML5 taking over? Generally speaking, you are probably right — but not in this particular situation. Computer science graduate Feross Aboukhadijeh has demonstrated a proof-of-concept that allows websites to download unlimited amounts of data to your computer… until your hard drive runs out of free space.

Available at FillDisk.com, the proof-of-concept downloads 1GB of data every 16 seconds (as tested on a MacBook Pro Retina with SSD drive, and subject to Internet connection speed limitations of course) and works by exploiting a flaw in HTML5. Plus it requires absolutely no user-interaction once the user is on the website (i.e. you don’t need to download anything, it all happens on its own).

The flaw in HTML5 is actually not a flaw at all: it is the ‘Web Storage standard’ of HTML5 that allows websites to store large amounts of data on users’ computers (larger than traditional cookies). The idea behind this standard is noble; it is intended to facilitate the development of advanced HTML5 apps and improve user experience, such as saving form data and recovering that data if the browser crashes. The issue is, as demonstrated by Aboukhadijeh, that this standard can be abused by websites to bombard hard drives with unlimited data.

The kicker? This isn’t even a new discovery. As ArsTechnica points out, the people who developed this HTML5 standard explicitly state that browsers should implement browser-level controls to prevent websites from abusing the standard to push unlimited data. Have browsers complied? Yes, but poorly.

Chrome, Firefox, Internet Explorer, Opera, and Safari all have limits placed on how much data a website can store on a user’s computer via this HTML5 standard. However, Chrome, Internet Explorer, Opera, and Safari place the limit on a sub-domain level instead of the highest domain so all Aboukhadijeh had to do was cycle through sub-domains (e.g. a.filldisk.com, b.filldisk.com, c.filldisk.com, etc.) to bypass the limits placed by these browsers. In other words, Chrome, Internet Explorer, Opera, and Safari were unable to block this exploit.

Firefox, on the other hand, places the limit a better way and blocks this exploit, i.e. Firefox doesn’t allow websites to store unlimited amounts of data on your computer via the HTML5 Web Storage standard.

Hit up the link below to try FillDisk.com yourself.

FillDisk.com

[via ArsTechnica, Aboukhadijeh's website, image via dalcrose]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

5 comments

  1. thomaswilson

    this really is considered to be the most admirable options that come with HTML5 development . The cookies can be opened in different windows and have high security and performance. It also assures that there will be no loss of any data.

  2. newJason

    so what does a visitor do to stop the downloading once they visit this site? simply close the browser? I would like to know this before testing, as I do not want my HD to become full.