Browser Security Bug Can Fill Your Hard Drive

HTML5A universal truth in software security is that your security can come crashing down with one person’s new discovery. So it was with several different web browsers when a clever researcher discovered a new trick to coerce a browser into filling its hard disk with garbage. All a user needs to do is browse to the wrong site on the web, and bye bye disk space.

How does this amazingly clever attack work? Feross Aboukhadijeh explains it in a recent post on his blog where he also links to a proof of concept site that really will fill up your hard drive. (The blog post link above is safe. What you click after you end up on Feross’s blog is up to you.) Here’s how the whole problem works:

HTML5 allows websites to ask a browser store information about a users’s session on the disk. It’s pretty nifty feature, expanding the power of websites to store session data beyond the miniscule amount permitted by a cookie. The HTML5 spec is also pretty clear that browsers should set a limit on how much a particular site can store:

User agents should limit the total amount of space allowed for storage areas.

What Aboukhadijeh discovered is that subdomains might not count against the same limit. That means that if my browser permits each site to have 5MB, then 1.example.com, 2.example.com, 3.example.com, etc. would each get 5MB. A clever attacker just needs to create a long list of subdomains and then coerce the visitor’s browser into loading them all at once.

So is this a bug with HTML5 or the browsers? In this case, the browsers are the culprit because the HTML5 spec clearly addresses this scenario:

User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit.

It turns out that Chrome, Safari, IE, and Opera are all affected by this problem.

The lesson here is that something seemingly secure can become totally insecure in a blink of an eye. Good security testing can be crucial to identifying problems early rather than when it’s too late.

Essential Guide to Mobile App Testing

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *