Sign in with
Sign up | Sign in

An HTML5 Exploit Can Fill Your Entire Hard Drive Quick

By - Source: Feross | B 24 comments

It's an HTML5 version of Jaws swimming in your browser. Or Cookie Monster. Or Pac-Man.

A 22-year-old Web developer from Stanford, Feross Aboukhadijeh, has discovered that a slip-up in the implementation of HTML5 in Chrome, Internet Explorer and Safari (Opera has been ruled out) can be exploited to fill a viewer's entire hard drive. He even offers a proof-of-concept of the exploit, and a demonstration page backing up his discovery.

As Feross explains, the HTML5 Web Storage standard "localStorage" was developed to allow sites to store larger amounts of data than was previously allowed by cookies. Before web sites could store 4k of data outside the browser cache, used to store simple data like the state of the previous visit, login info and more. But HTML5 websites are allowed to hoard around 5 to 10 MB of data locally. Given hard drives are jumping into 4 TB capacities, that's still virtually nothing.

According to Feross, Google Chrome will store 2.5 MB per origin, whereas Firefox and Opera will store 5 MB. Internet Explorer is the biggest storage hog of the group, eating up a mere 10 MB per origin. Based on the HTML5 spec, all subdomain storage must fit within the origin domain's storage limit. Unfortunately, Chrome, Safari and Internet Explorer skipped that rule.

Feross claims that a cleverly coded website could take advantage of those browsers and essentially use a viewer's entire hard drive capacity as storage rather than the allowed 5 to 10 MB limit. In a proof-of-concept website, he was able to full up 1 GB of HDD space every 16 seconds. Even Safari on iOS is affected by this exploit, meaning the tablet or smartphone will run out of space in minutes.

The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".

For those who want to see their hard drive load up with data through a web browser, check out FillDisk.com. There's also a button planted on the page that will reclaim your gobbled-up disk space. Feross is calling on web surfers to submit a bug report to Google, Apple and Microsoft so that a fix will be released in the immediate future.


Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 20 Hide
    athulajp , March 3, 2013 11:23 AM
    soundpingNothing about Firefox?


    Read the whole thing:

    The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".
  • 16 Hide
    4745454b , March 3, 2013 12:11 PM
    Yes. I knew I liked FF for a reason. How odd that this can happen.
  • 13 Hide
    longshotthe1st , March 3, 2013 2:09 PM
    susyque747I use a Macbook Pro and Safari advanced preferences allows you to set the amount of database storage from 0 on up. It also allows you turn of and on other aspects of the web by selecting show develop under advanced preferences.


    golfclap
Other Comments
    Display all 24 comments.
  • 20 Hide
    athulajp , March 3, 2013 11:23 AM
    soundpingNothing about Firefox?


    Read the whole thing:

    The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".
  • 16 Hide
    4745454b , March 3, 2013 12:11 PM
    Yes. I knew I liked FF for a reason. How odd that this can happen.
  • 5 Hide
    excella1221 , March 3, 2013 12:49 PM
    Quote:
    For those who want to see their hard drive load up with data through a web browser, check out FillDisk.com.

    I'm actually gonna try this just for the hell of it. :lol: 
  • 6 Hide
    shiftmx112 , March 3, 2013 1:20 PM
    Make sure you have your sound on.
  • 13 Hide
    longshotthe1st , March 3, 2013 2:09 PM
    susyque747I use a Macbook Pro and Safari advanced preferences allows you to set the amount of database storage from 0 on up. It also allows you turn of and on other aspects of the web by selecting show develop under advanced preferences.


    golfclap
  • 6 Hide
    alextheblue , March 3, 2013 3:09 PM
    susyque747I use a Macbook Pro and Safari advanced preferences allows you to set the amount of database storage from 0 on up. It also allows you turn of and on other aspects of the web by selecting show develop under advanced preferences.
    I used to think you were just a troll, but my opinion of you has actually worsened. Epic reading comprehension fail.

    Why don't you go to the guy's exploit demo site, filldisk.com, and check it out?
  • -1 Hide
    nebun , March 3, 2013 3:43 PM
    disable local storage....problem fixed
  • 0 Hide
    husker , March 3, 2013 5:42 PM
    "Feross is calling on web surfers to submit a bug report to Google, Apple and Microsoft so that a fix will be released in the immediate future."

    If any one of them chose not to fix this ASAP, without me having to go tell them, then the other two with drive them out of business. What the heck let one of them go out of business, I don't care, the field is too crowed anyway. I say let's not tell them and they will wonder what we are all snickering at and the joke will be on them. What a hoot!
    /sarcasm
  • 2 Hide
    danwat1234 , March 3, 2013 6:08 PM
    Chrome 25 crashed after about 700MB of uncompressed madness.
    Cool how with NTFS compression, the files are automatically compressed to a 7:1 ratio or so (700MB uncompressed, 100MB compressed).
    So obviously the main concern is the browser crashing than hard drive space.
  • 6 Hide
    glob , March 3, 2013 6:18 PM
    Misleading title. As stated in the article, a number of browsers didn't implement the specs correctly; nothing wrong with HTML 5 (regarding this, at least).
  • 3 Hide
    anxiousinfusion , March 3, 2013 6:51 PM
    The silver lining to this could be that the exploit is a free drive scrubber for those looking to overwrite all sectors on a hard drive.
  • 0 Hide
    curnel_D , March 3, 2013 7:12 PM
    Using opera, I'm not affected. (Just checked)
  • 1 Hide
    kartu , March 3, 2013 7:12 PM
    Too bad Opera has already announced they'll switch to WebKit... =/
  • -1 Hide
    curnel_D , March 3, 2013 7:13 PM
    kartuToo bad Opera has already announced they'll switch to WebKit... =/

    Got a link? I'd like to read that.
  • 1 Hide
    Cy-Kill , March 3, 2013 7:39 PM
    I tried the site, it wasn't working in IE10, but it does work in any Chromium-based browser.
  • 0 Hide
    Cy-Kill , March 3, 2013 7:41 PM
    curnel_DGot a link? I'd like to read that.


    Here you go:

    http://bit.ly/12mIHx2
  • 1 Hide
    Onihikage , March 3, 2013 7:42 PM
    curnel_DGot a link? I'd like to read that.

    http://justgit.com/?q=opera%20switching%20to%20webkit
  • 0 Hide
    knowom , March 3, 2013 9:02 PM
    "You're using Firefox, so you're safe. This demo won't work for you. Try Chrome, Safari, or IE." Thou shalt not pass but.....I wanted to play in the litter box with all the other cats!!
Display more comments