HTML 5 Hole Could Fill Hard Drive with Junk Data -- Redmondmag.com

HTML 5 Hole Could Fill Hard Drive with Junk Data

Clicking on a Web site could cause your hard drive to be filled with unwanted and harmful data in a short period of time.

By Chris Paoli
03/06/2013

A security researcher revealed a discovered HTML 5 flaw last week that could allow attackers to perform data dumps by users of many popular Web browsers, including Internet Explorer, Google Chrome, Opera and Apple's Safari Web browser.

According to 22-year-old researcher Feross Aboukhadijeh, the vulnerability is due to the browsers mentioned not following the rules laid out by the World Wide Web Consortium (W3C) that states, " User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit."

"However, Chrome, Safari, and IE currently do not implement any such 'affiliated site' storage limit," said Aboukhadijeh in a blog post. "Thus, cleverly coded websites, like FillDisk.com, have effectively unlimited storage space on visitor's computers."

Aboukhadijeh has found a way to bypass the data limit by creating multiple temporary "affiliate" Web sites that can be used to inject a system with large amounts of data. In a proof-of-concept demo, he illustrated this by inserting a large amount of cat images on a system (and, of course, due to it being the Internet, had to pair the cat images with the overused, yet still amusing Trololo song).

While Aboukhadijeh explained that due to the HTML 5 data limit workaround, those using any of the affected Web browsers could eventually have their entire hard drive filled with unwanted data, he found the process takes much faster on a Macbook Pro Retina with a solid state drive (SSD) -- up to 1 GB of data can be injected every 16 seconds.

Due to how Mozilla caps data in its Firefox Web browser, it is immune to the flaw.

In true fashion that is the morally ambiguous life of a security researcher, Aboukhadijeh has both reported the flaw to the Web browser makers and has released the code for you and your friends to fill up others' hard drives with silly cat pictures (or it could be used for more nefarious purposes). Thankfully, so far there has been no word of the flaw being exploited in the wild.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.