An HTML5 Exploit Can Fill Your Entire Hard Drive Quick

A 22-year-old Web developer from Stanford, Feross Aboukhadijeh, has discovered that a slip-up in the implementation of HTML5 in Chrome, Internet Explorer and Safari (Opera has been ruled out) can be exploited to fill a viewer's entire hard drive. He even offers a proof-of-concept of the exploit, and a demonstration page backing up his discovery.

As Feross explains, the HTML5 Web Storage standard "localStorage" was developed to allow sites to store larger amounts of data than was previously allowed by cookies. Before web sites could store 4k of data outside the browser cache, used to store simple data like the state of the previous visit, login info and more. But HTML5 websites are allowed to hoard around 5 to 10 MB of data locally. Given hard drives are jumping into 4 TB capacities, that's still virtually nothing.

According to Feross, Google Chrome will store 2.5 MB per origin, whereas Firefox and Opera will store 5 MB. Internet Explorer is the biggest storage hog of the group, eating up a mere 10 MB per origin. Based on the HTML5 spec, all subdomain storage must fit within the origin domain's storage limit. Unfortunately, Chrome, Safari and Internet Explorer skipped that rule.

Feross claims that a cleverly coded website could take advantage of those browsers and essentially use a viewer's entire hard drive capacity as storage rather than the allowed 5 to 10 MB limit. In a proof-of-concept website, he was able to full up 1 GB of HDD space every 16 seconds. Even Safari on iOS is affected by this exploit, meaning the tablet or smartphone will run out of space in minutes.

The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".

For those who want to see their hard drive load up with data through a web browser, check out FillDisk.com. There's also a button planted on the page that will reclaim your gobbled-up disk space. Feross is calling on web surfers to submit a bug report to Google, Apple and Microsoft so that a fix will be released in the immediate future.


Contact Us for News Tips, Corrections and Feedback

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
24 comments
    Your comment
    Top Comments
  • Anonymous
    soundpingNothing about Firefox?


    Read the whole thing:

    The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".
    20
  • 4745454b
    Yes. I knew I liked FF for a reason. How odd that this can happen.
    16
  • longshotthe1st
    susyque747I use a Macbook Pro and Safari advanced preferences allows you to set the amount of database storage from 0 on up. It also allows you turn of and on other aspects of the web by selecting show develop under advanced preferences.


    golfclap
    13
  • Other Comments
  • soundping
    Nothing about Firefox?
    -15
  • Anonymous
    soundpingNothing about Firefox?


    Read the whole thing:

    The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".
    20
  • 4745454b
    Yes. I knew I liked FF for a reason. How odd that this can happen.
    16