dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2256
share rss forum feed


FF4m3

@rr.com

HTML5 Web Storage Loophole Affects Most Browsers

HTML5 Web Storage loophole can be abused to fill hard disks with junk data :

A security researcher has found a loophole in how the HTML5 Web Storage standard is implemented in the Google Chrome, Internet Explorer and Apple Safari browsers that could allow malicious websites to fill visitors' hard disk drives with large amounts of junk data.

The localStorage attribute of the Web Storage API allows websites to store between 2.5MB and 10MB of data per origin -- domain name -- depending on the browser used. Google Chrome enforces a limit of 2. MB, Mozilla Firefox a limit of 5MB and Internet Explorer a limit of 10MB.

However, the Web Storage standard warns that some websites might attempt to circumvent the storage limit by storing data from their subdomains. "User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit," according to the standard, published by the World Wide Web Consortium.

"Chrome, Safari, and IE currently do not implement any such 'affiliated site' storage limit," Web developer and security researcher Feross Aboukhadijeh said Wednesday in a blog post. Since website owners can generate subdomains at will, they can exploit this loophole to effectively gain unlimited storage space on visitors' computers, he said.

Aboukhadijeh created a proof-of-concept website that uses this trick to fill visitors' hard disk drives with junk data. The site was tested with Chrome 25, Safari 6, Opera 12 and IE 10, and was capable of writing 1GB of data every 16 seconds on a Macbook Pro equipped with a solid state drive (SSD), the researcher said.

"For 32-bit browsers, like Chrome, the entire browser may crash before the disk is filled," Aboukhadijeh said. The attack does not work in Firefox because "Firefox's implementation of localStorage is smarter," he said.

...finding a fix might not be easy.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

Easy fix. Turn off the Cache service in your browsers (except IE you cannot but put as low as possible and avoid using IE). Don't allow websites to store HTML5 stuff on your disk. Allow ZERO storage space. I do this on all browsers. I have a fast connection. I have no need whatsoever for websites to store anything on MY drive. I get prompts from every browser about sites wanting storage space. I deny it to all and been doing it for years. I particularly do not want this junk on my SSD. I don't want any SuperCookies.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

^ This.


OZO
Premium
join:2003-01-17
kudos:2
reply to FF4m3

I agree with posters above. Turn it completely off. Or, with those huge limits on HTML5 Web Storage data allowed to keep on your computer, some day you may discover your own Stuxnet there...
--
Keep it simple, it'll become complex by itself...


Mister_E

join:2004-04-02
Etobicoke, ON
Reviews:
·Bell Sympatico
reply to FF4m3

In IE10 settings under Advanced > Security, there's an option for 'Enable DOM Storage' (Document Object Model).

Disabling this option seems to prevent the HTML5 Web Storage in IE (at least when tested at »arty.name/localstorage.html).

Disabling the option may break some websites though.

Any thoughts?



goalieskates
Premium
join:2004-09-12
land of big
reply to Mele20

said by Mele20:

Easy fix. Turn off the Cache service in your browsers (except IE you cannot but put as low as possible and avoid using IE). Don't allow websites to store HTML5 stuff on your disk. Allow ZERO storage space.

Yes, thank you. But only easy if you know about it, which the average user won't. They'll sit there fat, dumb, and happy with their automatic updates and assume they've done what they need to.

So hopefully fixes are forthcoming for all affected browsers.


ashrc4
Premium
join:2009-02-06
australia
reply to FF4m3

The sandboxie sandbox has an adjustable size limit and will top out above this.
If you use it it will wipe all changes when the sandbox is closed.
The only caution i see using it is being able to exploit data from ones pc is not pro-active to stop by design.
I'm far more concerned by that than receiving junk data that gets deleted with limited appeal.
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!



ccleaner

@ecatel.net
reply to FF4m3

Would crap cleaner not remove this data?

I too also disable DOM storage in IE.

cheers



ashrc4
Premium
join:2009-02-06
australia

said by ccleaner :

Would crap cleaner not remove this data?

I too also disable DOM storage in IE.

cheers

A full partion may cause instability issues but rules for HTML 5 clean up can be expressed.
Bleach bit is more "out of the box" friendly and regularly updated to do so.
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!


norwegian
Premium
join:2005-02-15
Outback
reply to Mister_E

said by Mister_E:

In IE10 settings under Advanced > Security, there's an option for 'Enable DOM Storage' (Document Object Model).

Disabling this option seems to prevent the HTML5 Web Storage in IE (at least when tested at »arty.name/localstorage.html).

Disabling the option may break some websites though.

Any thoughts?

It has always been suggested to turn that off as a security barrier.
I've had no real troubles up until IE9 on Win 7 disabling it on every machine for IE.

On the test, IE9, Win 7:
•The test worked with it enabled
•The test didn't work with it disabled
Although it was allowed to still pass 100 characters leaving no trace with DCOM storage disabled.
Something possibly just as dangerous depending on the exploit path and needs if the hole was still workable within the 100 characters.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

So the test said it set 100 characters on IE 9 even though "enable DOM storage" was disabled?

On IE 10 64bit version on Win 8, nothing happens on that web page.

On Fx 17 ESR, nothing happens on that web page.

On Opera 12.14, I got a popup saying the site was requesting unlimited storage and the current storage was 0. I denied any storage to the site and nothing happened further.

DOM storage is disabled on all three browsers. On IE I also have under Internet Options/general tab under Settings "Allow Website Caches and Databases" UNchecked.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 edit
reply to FF4m3

The related prefs in Mozilla are:

dom.storage.default_quota
dom.storage.enabled

Ref:
DOM Storage
Web storage
Understanding WebStorage



Cthen

join:2004-08-01
Detroit, MI
Reviews:
·Verizon Wireless..

1 recommendation

reply to Mele20

said by Mele20:

Easy fix. Turn off the Cache service in your browsers (except IE you cannot but put as low as possible and avoid using IE). Don't allow websites to store HTML5 stuff on your disk. Allow ZERO storage space. I do this on all browsers. I have a fast connection. I have no need whatsoever for websites to store anything on MY drive. I get prompts from every browser about sites wanting storage space. I deny it to all and been doing it for years. I particularly do not want this junk on my SSD. I don't want any SuperCookies.

Good, now try explaining that to Joe Blow without getting a blank stare. After that, try getting Joe Blow to do that again after showing him.
--
"I like to refer to myself as an Adult Film Efficienato." - Stuart Bondek