New MacBook Pros are here! Get the lowest prices anywhere: Apple Price Guides updated Aug 29th (exclusive coupons)
 


Sunday, March 03, 2013, 02:39 pm PT (05:39 pm ET)

HTML 5 bug allows huge data dumps on most Mac and PC Web browsers

A recently discovered flaw in the HTML 5 coding language could allow websites to bombard users with gigabytes of junk data, with a number of popular browsers being open to the vulnerability.

According to developer Feross Aboukhadijeh, who uncovered the bug this week, data dumps can be performed on most major Web browsers, including Apple's Safari, Google's Chrome, Microsoft's Internet Explorer and Opera, the BBC reported. The only browser to stop data dump tests was Mozilla's Firefox, which capped storage at 5MB.


Exploit proof of concept video. | Source: Feross Aboukhadijeh


The problem is rooted in how HTML 5 handles local data storage. While each browser has different storage parameters, many of which support user-definable limits, all provide for at least 2.5 megabytes of data to be stored on a user's computer.

Aboukhadijeh discovered a loophole that bypasses the imposed data cap by creating numerous temporary websites that are linked a user-visited site. Because most browsers don't account for the contingency, the secondary sites were allowed local storage provisions in amounts equal to the primary site's limit. By generating a multitude of linked websites, the bug can dump enormous amounts of data onto affected computers.

In testing the flaw, Aboukhadijeh was able to dump 1GB of data every 16 seconds on his SSD-equipped MacBook Pro with Retina display. He noted that 32-bit browsers like Chrome may crash before a disk is filled.

"Cleverly coded websites have effectively unlimited storage space on visitor's computers," Aboukhadijeh wrote in a blogpost.

The developer has released code to exploit the bug and has created a dedicated website called Filldisk to highlight the flaw. In true internet meme fashion, the site dumps images of cats on to an affected machine's hard drive.

Bug reports have already been sent to makers of the affected Web browsers, and Aboukhadijeh said malicious use of his code has yet to been seen in the wild.