An HTML5 Exploit Can Fill Your Entire Hard Drive Quick

By Kevin Parrish
published

It's an HTML5 version of Jaws swimming in your browser. Or Cookie Monster. Or Pac-Man.

A 22-year-old Web developer from Stanford, Feross Aboukhadijeh, has discovered that a slip-up in the implementation of HTML5 in Chrome, Internet Explorer and Safari (Opera has been ruled out) can be exploited to fill a viewer's entire hard drive. He even offers a proof-of-concept of the exploit, and a demonstration page backing up his discovery.

As Feross explains, the HTML5 Web Storage standard "localStorage" was developed to allow sites to store larger amounts of data than was previously allowed by cookies. Before web sites could store 4k of data outside the browser cache, used to store simple data like the state of the previous visit, login info and more. But HTML5 websites are allowed to hoard around 5 to 10 MB of data locally. Given hard drives are jumping into 4 TB capacities, that's still virtually nothing.

According to Feross, Google Chrome will store 2.5 MB per origin, whereas Firefox and Opera will store 5 MB. Internet Explorer is the biggest storage hog of the group, eating up a mere 10 MB per origin. Based on the HTML5 spec, all subdomain storage must fit within the origin domain's storage limit. Unfortunately, Chrome, Safari and Internet Explorer skipped that rule.

Feross claims that a cleverly coded website could take advantage of those browsers and essentially use a viewer's entire hard drive capacity as storage rather than the allowed 5 to 10 MB limit. In a proof-of-concept website, he was able to full up 1 GB of HDD space every 16 seconds. Even Safari on iOS is affected by this exploit, meaning the tablet or smartphone will run out of space in minutes.

The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".

For those who want to see their hard drive load up with data through a web browser, check out FillDisk.com. There's also a button planted on the page that will reclaim your gobbled-up disk space. Feross is calling on web surfers to submit a bug report to Google, Apple and Microsoft so that a fix will be released in the immediate future.

Contact Us for News Tips, Corrections and Feedback

Kevin Parrish
24 Comments Comment from the forums
  • soundping
    Nothing about Firefox?
    Reply
  • soundpingNothing about Firefox?
    Read the whole thing:

    The report states that Chrome 25, Safari 6 and Internet Explorer 10 were tested positive with the exploit. For 32-bit browsers like Google's Chrome, the entire browser may crash before the disk is filled. Even more, Feross claims that Firefox isn’t affected because Mozilla's browser has a smarter implantation of "localStorage".
    Reply
  • 4745454b
    Yes. I knew I liked FF for a reason. How odd that this can happen.
    Reply
  • excella1221
    For those who want to see their hard drive load up with data through a web browser, check out FillDisk.com.
    I'm actually gonna try this just for the hell of it. :lol:
    Reply
  • shiftmx112
    Make sure you have your sound on.
    Reply
  • susyque747
    I use a Macbook Pro and Safari advanced preferences allows you to set the amount of database storage from 0 on up. It also allows you turn of and on other aspects of the web by selecting show develop under advanced preferences.
    Reply
  • longshotthe1st
    susyque747I use a Macbook Pro and Safari advanced preferences allows you to set the amount of database storage from 0 on up. It also allows you turn of and on other aspects of the web by selecting show develop under advanced preferences.
    golfclap
    Reply
  • alextheblue
    susyque747I use a Macbook Pro and Safari advanced preferences allows you to set the amount of database storage from 0 on up. It also allows you turn of and on other aspects of the web by selecting show develop under advanced preferences.I used to think you were just a troll, but my opinion of you has actually worsened. Epic reading comprehension fail.

    Why don't you go to the guy's exploit demo site, filldisk.com, and check it out?
    Reply
  • nebun
    disable local storage....problem fixed
    Reply
  • husker
    "Feross is calling on web surfers to submit a bug report to Google, Apple and Microsoft so that a fix will be released in the immediate future."

    If any one of them chose not to fix this ASAP, without me having to go tell them, then the other two with drive them out of business. What the heck let one of them go out of business, I don't care, the field is too crowed anyway. I say let's not tell them and they will wonder what we are all snickering at and the joke will be on them. What a hoot!
    /sarcasm
    Reply