Menu
HTML5 Web Storage loophole can be abused to fill hard disks with junk data

HTML5 Web Storage loophole can be abused to fill hard disks with junk data

Most browsers don't restrict the amount of data that websites can store through HTML5 Web Storage, researcher says

A security researcher has found a loophole in how the HTML5 Web Storage standard is implemented in the Google Chrome, Internet Explorer and Apple Safari browsers that could allow malicious websites to fill visitors' hard disk drives with large amounts of junk data.

HTML5 Web Storage defines an API (application programming interface) that allows websites to store more data inside browsers than was previously possible by using cookies, which are restricted to a size of maximum 4KB.

The localStorage attribute of the Web Storage API allows websites to store between 2.5MB and 10MB of data per origin -- domain name -- depending on the browser used. Google Chrome enforces a limit of 2. MB, Mozilla Firefox a limit of 5MB and Internet Explorer a limit of 10MB.

However, the Web Storage standard warns that some websites might attempt to circumvent the storage limit by storing data from their subdomains. "User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit," according to the standard, published by the World Wide Web Consortium.

"Chrome, Safari, and IE currently do not implement any such 'affiliated site' storage limit," Web developer and security researcher Feross Aboukhadijeh said Wednesday in a blog post. Since website owners can generate subdomains at will, they can exploit this loophole to effectively gain unlimited storage space on visitors' computers, he said.

Aboukhadijeh created a proof-of-concept website that uses this trick to fill visitors' hard disk drives with junk data. The site was tested with Chrome 25, Safari 6, Opera 12 and IE 10, and was capable of writing 1GB of data every 16 seconds on a Macbook Pro equipped with a solid state drive (SSD), the researcher said.

"For 32-bit browsers, like Chrome, the entire browser may crash before the disk is filled," Aboukhadijeh said. The attack does not work in Firefox because "Firefox's implementation of localStorage is smarter," he said.

The Chrome developers acknowledged the issue in an entry on the Chrome bug tracker , but finding a fix might not be easy. According to some people involved in the discussion, limiting the localStorage space for subdomains in relation to the limit for their respective domains might create problems on sites like Github Pages or Appspot that provide users with their own subdomains to create projects.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags AppleGooglesecuritymozilla

Featured

Slideshows

Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Reseller News ICT Industry Awards 2017 - Meet the winners...

Reseller News ICT Industry Awards 2017 - Meet the winners...

Reseller News honoured the industry’s finest on a standout evening for the New Zealand channel, recognising the achievements of established and emerging partners on a memorable night in Auckland.

Reseller News ICT Industry Awards 2017 - Meet the winners...
Show Comments