HTML5 Browser Exploit Floods Hard Drives with Data

A recent HTML5 browser exploit enables websites to flood users with gigabytes of junk data, only to clog PCs and crash browsers.

Web developer Feross Aboukhadijeh rigged a proof-of-concept website that exploits the vulnerability and adds 1 GB of data every 16 seconds on a solid state drive. Named FillDisk.com, the webpage can be accessed by anyone interested in learning more about the HTML5 vulnerability.

The website works by instructing all subdomains to download the maximum data amount, resulting in masses of junk data downloaded to a users’ computer.

Although all browsers are affected, Google’s Chrome, Microsoft’s Internet Explorer and Apple’s Safari are the only ones with no browser download cap. Firefox is the only browser that limits the download amount, and is partially vulnerable to the exploit.

Aboukhadijeh encourages developers to set up safeguards to prevent this behavior, by implementing a 5 megabyte download limit per origin.

“User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit,” wrote Aboukhadijeh on his blog. “A mostly arbitrary limit of five megabytes per origin is recommended.”

Tests revealed that the Google Chrome browser may sometimes crash before flooding the disk, but an official Chromium bug report has been filed by Aboukhadijeh. Microsoft and Apple have also been notified of the vulnerability and a fix could be underway.