Flaw in HTML5 allows websites to bombard you with data until your hard drive is full


So you thought you would be safer with Flash gone and HTML5 taking over? Generally speaking, you are probably right — but not in this particular situation. Computer science graduate Feross Aboukhadijeh has demonstrated a proof-of-concept that allows websites to download unlimited amounts of data to your computer… until your hard drive runs out of free space.

Available at FillDisk.com, the proof-of-concept downloads 1GB of data every 16 seconds (as tested on a MacBook Pro Retina with SSD drive, and subject to Internet connection speed limitations of course) and works by exploiting a flaw in HTML5. Plus it requires absolutely no user-interaction once the user is on the website (i.e. you don’t need to download anything, it all happens on its own).

The flaw in HTML5 is actually not a flaw at all: it is the ‘Web Storage standard’ of HTML5 that allows websites to store large amounts of data on users’ computers (larger than traditional cookies). The idea behind this standard is noble; it is intended to facilitate the development of advanced HTML5 apps and improve user experience, such as saving form data and recovering that data if the browser crashes. The issue is, as demonstrated by Aboukhadijeh, that this standard can be abused by websites to bombard hard drives with unlimited data.

The kicker? This isn’t even a new discovery. As ArsTechnica points out, the people who developed this HTML5 standard explicitly state that browsers should implement browser-level controls to prevent websites from abusing the standard to push unlimited data. Have browsers complied? Yes, but poorly.

Chrome, Firefox, Internet Explorer, Opera, and Safari all have limits placed on how much data a website can store on a user’s computer via this HTML5 standard. However, Chrome, Internet Explorer, Opera, and Safari place the limit on a sub-domain level instead of the highest domain so all Aboukhadijeh had to do was cycle through sub-domains (e.g. a.filldisk.com, b.filldisk.com, c.filldisk.com, etc.) to bypass the limits placed by these browsers. In other words, Chrome, Internet Explorer, Opera, and Safari were unable to block this exploit.

Firefox, on the other hand, places the limit a better way and blocks this exploit, i.e. Firefox doesn’t allow websites to store unlimited amounts of data on your computer via the HTML5 Web Storage standard.

Hit up the link below to try FillDisk.com yourself.


[via ArsTechnica, Aboukhadijeh’s website, image via dalcrose]

Related Posts