A universal truth in software security is that your security can come crashing down with one person’s new discovery. So it was with several different web browsers when a clever researcher discovered a new trick to coerce a browser into filling its hard disk with garbage. All a user needs to do is browse to the wrong site on the web, and bye bye disk space.
How does this amazingly clever attack work? Feross Aboukhadijeh explains it in a recent post on his blog where he also links to a proof of concept site that really will fill up your hard drive. (The blog post link above is safe. What you click after you end up on Feross’s blog is up to you.) Here’s how the whole problem works:
HTML5 allows websites to ask a browser store information about a users’s session on the disk. It’s pretty nifty feature, expanding the power of websites to store session data beyond the miniscule amount permitted by a cookie. The HTML5 spec is also pretty clear that browsers should set a limit on how much a particular site can store:
User agents should limit the total amount of space allowed for storage areas.
What Aboukhadijeh discovered is that subdomains might not count against the same limit. That means that if my browser permits each site to have 5MB, then 1.example.com, 2.example.com, 3.example.com, etc. would each get 5MB. A clever attacker just needs to create a long list of subdomains and then coerce the visitor’s browser into loading them all at once.
So is this a bug with HTML5 or the browsers? Continue Reading →