Browser exploit allows for secret flooding of hard disk

by Michael Smith (Veshengro)

filldiskThe new website Filldisk.com uses a dangerous HTML5 security hole which affect browsers Chrome, Safari, Opera and Internet Explorer. Alone clicking on the website makes it possible that in only a few seconds many Gigabytes of picture of cats will accumulate on the hard drive of the PC. Only users of the Firefox browser currently cannot be attacked.

The developer responsible for the website is the programmer Feross Aboukhadijeh who already on February 27, 2013 presented the “HTML 5 Hard Disk Filler API” on his Blog.

By means of a script can any website get prepared in such a way that within seconds the hard drive of each and every visitor will be flooded with a great mass of data. In the case of the demonstration by Aboukhadijeh on Filldisk.com (Warning! Already by simply opening the website the download begins and the hard disk will be flooded) every second an almost uncountable amount of picture of cats are being transferred.

While it is possible, in this case, because it is a demonstration, to erase this data garbage again with a simple click, a serious attacker intent on doing harm, however, will, more than likely, not offer such an option to any victim.

The reason that such an attack is at all possible is due to the new localStorage function of HTML5. This makes it possible instead of small cookies with just a very small amount of bytes also to deposit large amount of data on the computer of the user.

The browser's job is, indeed, to limit the possible amount of memory use of each and every website and, depending of the software every domain can deposit but 5MB of data, but that is a case of “theoretically”.

The developers of Google Chrome, Safari, Opera and Internet Explorer have, unfortunately, not considered that such misuse could come via many subdomains. The exploit Aboukhadijeh's gains access over 1.filldisk.com, 2.filldisk.com... so much on hard disk space as it would like.

In the official documentation for HTML5 the developers have actually ywarned about this possibility but only users of Firefox receive at the demonstration website the message that the bug does not exist in their browsers. Yet again a reason to choose and use Firefox, methinks.

Despite the fact that Aboukhadijeh has informed, via the bug reporting systems, all of the developers of the affected browsers but so far no steps have been taken to rectify the matter in the affected browsers.

© 2013