HTML5 Browser Bug Floods Hard Drives In Minutes

A recently-discovered browser flaw could allow hackers to manipulate a site visitor's physical hard drive. At the moment, Mozilla's Firefox is the only browser not affected by the problem.

The technology involved is HTML5, the latest edition of the standard code used to produce websites. One of the key features of HTML5 allows web developers to include code for showing multimedia -- such as animations and videos -- without the website visitor having to install special plug-in software.

Web browsers have always had the ability to write some data to a computer's hard drive, usually on a temporary basis, to make the websites work more quickly and smoothly. HTML5 increases the amount of data browsers can store, though still restricts this to a few megabytes for each website.

Simple Loophole Breaches HTML5 Safeguards

However, web developer Feross Aboukhadijeh has reportedly found a way around these restrictions. This loophole involves producing multiple "subdomains" from a single website address, which creates the impression that each web page is from a completely different site.

Although HTML5 guidelines say web browsers should be designed to recognize this trick, it appears only Firefox currently does so. (Source: bbc.co.uk)

Aboukhadijeh tested this loophole by producing numerous dummy webpages linked to a user-visited site. He then set the site to repeatedly write files for images of cats to the user's hard drive.

4GB of Cat Pics Stored Every Minute

The trick works on the latest edition of Internet Explorer, Chrome, and Safari, and can write files at breakneck speed: in one test, Aboukhadijeh found the site was writing one gigabyte of data on his computer every 16 seconds.

Depending on the browser and computer set-up, the new picture files will keep on coming until a) the hard drive fills up, or b) the browser crashes.

Aboukhadijeh has made the website publicly available for demonstration purposes, but has included an undo button that will delete all of the image files.

He's also published links for reporting bugs to Google, Microsoft, and Apple, and is encouraging users to file their own reports with these firms. (Source: feross.org)