Slashdot Mirror
HTML5 Storage Bug Can Fill Your Hard Drive
Dystopian Rebel writes "A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE. Feross Aboukhadijeh has demonstrated that these browsers allow unbounded local storage. 'The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). ... The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer. However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. ... However, Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Aboukhadijeh has logged the bug with Chromium and Apple, but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."
This seems like mental masturbation to me. I see no point in initiating such an "attack".
If I understand correctly, you are going to expend great effort and possibly money on tens of thousands of subdomains, transfer a lot of data and incur bandwidth charges, in order to fill someone's hard drive? This is about the lamest DoS attack I have ever heard of. And the easy fix is to simply clear cookies?
Come on, this is a non-issue looking to be a problem.
Also, you're not vulnerable if you have javascript enabled.
Such is life when your browser automatically downloads and runs arbitrary untrusted software.
This sounds like a nice weekend project, wonder how fast you can fill up a harddisk with just some javascript.
but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops
FUD! We haven't recieved a complaint yet.
Yours truely,
MS support.
Entirely offtopic, (and I am prepared for the karma hit) but today is my birthday!
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
1.porn.com, 2.porn.com, 3.porn.com...
Actually, that could be handy -- you could store lots of music from song.album.artist.someMP3site.com.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
On Linux using the pepperflash plugins, lots & lots of zombie processes get created and aren't even killed after you exit the browser. When I noticed 5GB of memory usage on an empty desktop, I realized that Chromium is a pro-zombie browser.
AntiFA: An abbreviation for Anti First Amendment.
no. it's a bug. the HTML5 spec clearly states that this exact behaviour should be looked out for and blocked
Is this a thing? People get tribal about browsers?
No kidding!!! What do you say at this point?
Devices with smaller drives like a cell phone, tablet or laptops like Google's Pixel would be more vulnerable. Perhaps if you created some javascript that simply made requests to iterated subdomains that simply returned a small amount of javascript that then generated large amounts of text to store locally? The bandwidth needed would be much less then and the same amount of damage done. I have no idea if this scenario is possible though so take this with a grain of salt.
isn't everyone's blog a subdomain?
It's called "Not Following The SPECIFICATION".
I have a doctorate and spend more time bathing in a given week than on videogames.
No kidding!!! What do you say at this point?
Are we done here? My coffee break ends soon.
No kidding!!! What do you say at this point?
published with a brown paper wrapper too?
, transfer a lot of data and incur bandwidth charges,
Posting anonymously since this shows how it could be done.
I don't see any need to transfer data. Simply generate random strings programatically. One could easily write a few lines of code. The storage API is a 'key' and 'value' system, so just randomly generate keys and randomly generate values in a loop. Super easy. For the subdomain stuff, like others have said, wildcard for DNS. Then just serve the small js file that runs, then programtically generates a new random subdomain to dynamically load the js file.
The end point is that you don't need a lot of data bandwidth to screw up someone's computer.
Except that the specification is perfectly fine, it's the implementation that does something different. Or do you claim that the HTML5 spec is wrong when it says that browsers should not allow for this DoS attack to happen? Stop being a dick and admit your mistake.
Ezekiel 23:20
Its not a bug. While the Web Storage API Candidate Recommendation (related to, but not part, of, the HTML5 spec) both says that user agents should set a per-origin storage limit and should identify and prevent use of "origins of affiliated sites" to circumvent that limit, it doesn't specify either what constitutes an "affiliated site", and neither of those things that it says "should" be done are requirements of the specification. "Should" has a quite specific meaning in the specification (defined by reference in the spec to RFC2119), and its not the same as "must", instead:
So, its both a recommendation rather than a requirement, and not specified clearly enough to be implemented. There are some cases where origins of the same second-level domain are meaningfully affiliated, and some times where they are not (for a clear case of the latter, consider subdomains of ".co.uk".) Its pretty clear that origins which differ only in protocol are almost always going to be affiliated by any reasonable definition (e.g., http://www.example.com/ and https://www.example.com/ which are different origins), but no automatic identification of origin affiliation by subdomain can be done simply without understanding of per-domain policies from the TLD down to the first level at which all subdomains are affiliated. (And this is a problem which will get worse with the planned explosion of TLDs.) W
I'd call that a design error. The browser is behaving as it is designed to, it's just that the way it's designed to behave is wrong.
Which is, in other words, a bug.
Why do people persist in believing that bugs can only happen in code?
I think you need to review the relevant portion of the specification, particularly the use of the word "should" and the reference to RFC2119 for the specific definition of "should" that is applicable when used in the specification.
A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE.
OK, so we're talking about Google, Apple, Opera and Microsoft. But then...
The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer.
Now we're talking about Google, Mozilla, Opera and Microsoft. Where did Mozilla come from, and where did Apple go?
Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Firefox's implementation of HTML5 local storage is not vulnerable to this exploit.
Now we're talking about Google, Apple, Microsoft and Mozilla. Apple's back, and Opera is left out this time, and even though the author seemed to be indicating that Mozilla's browser was on the vulnerable list, now it's set apart.
Editors, if a summary is inconsistent, please clean it up or don't promote the story.
I read the summary. The author of the summary, however, has not read the spec, or, if they have, has failed to understand all of the following (a) that both the use of per-origin quotas is a recommendation, not a requirement, of the spec; (2) that the use of controls to prevent the use of affiliated origins to circumvent the recommended per-origin quotas are also recommendations, not requirements, of the spec, and (3) that the spec actually doesn't define what constitutes an affiliated origin, so that even if per-origin quotas and affiliated-origin identification-and-blocking were required by the spec, it would be impossible to judge whether any particular implementation complied with the requirement.
If they understood any of those points, they wouldn't describe this as a "bug".
The specification at issue is not a standard, its a Candidate Recommendation. Ikay, that's a technicality, but more importantly:
They are following it; both the per-origin quotas themselves and the controls regarding preventing use of affiliated origins to circumvent the quotas are recommendations (should), not a requirements (must), of the spec, so even if they were not implemented at all, the implementation could be following the spec completely.
Further, the spec never defines criteria for determining affiliated origins with regard to the controls preventing circumvention of per-origin limits, so the fact that it doesn't prevent the particular use of related origins that were at issue in this test doesn't mean they don't have controls of the type recommended.
I wonder if one could create some sort form of useless distributed storage using this. Basically get your web app use this 5MB of free space on each computer that visits you as a the storage media for a filesystem. It would be atrociously slow (access time for a particular block could be hours, days, weeks or longer) unreliable (non-repeat visitors or visitors that clear their cache represent data loss) and difficult to expand (to grow your storage you'd have to convince more people to visit your site), but if you were really bored and had nothing else to do, it could be an interesting project.
It sort of reminds me of hack/proof-of-concept “storage” method somebody once told me was possible using “ping”. Basically ping a host with an ICMP ping packet having the data you want to store in the "payload"; the destination host will apparently send this payload back to you in the ICMP response. Apparently, if you ignore (don't ACK) the response, the destination host will continuously try to resend the packet back to you, effectively storing your data "in the network". When you want to retrieve the data, ACK the response...
Is this a thing? People get tribal about browsers?
Well, he could just be annoyed about the summary being blatantly wrong, since it specifically says that the bug exists in Opera when, in fact, it does not.
But yeah, people can be a bit competitive about their favorite browser. Not as bad as emacs vs. vi or anything, but it does happen a bit.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
So it's Microsoft?
This is why I have disk quotas enabled on my personal machine, even though I'm the only user. I don't want a rogue process user my UID using up those last few GB that the system will eventually need.
Well, except that if you actually read the specification, nothing raised in TFS involves doing something different than required by the specification, and, in fact, the relevant recommended-but-not-required functionality described in the specification isn't defined at all (there is no definition of "affiliated origin", and only one example given.). Its outside of the simplest naive generalization of the example given, but that interpretation (e.g., treating all subdomains of the same 2LD as "affiliated origins") would also mean everything on, e.g., ".co.uk" would share the single-origin quota belonging to "co.uk".
I call crap on the Opera thing.
Latest stable Opera browser here, 12.14, updated 5th February:
http://www.ledow.org.uk/Opera.jpg
No mention of this in the 12.14 release notes (even as a "vulnerability with details to follow later", which is common practice for Opera changelogs), and silence on the article about exactly how/why/where Opera is vulnerable.
If something pops up a million times and asks you for a Gigabyte and you click yes, then that's perfectly accepted user permission to do so.
Erm, you got it backwards. Firefox implements the standard properly, and is thus not vulnerable to disc-filling attacks of this sort. It's every other browser that is vulnerable.
Since the actual behavior of the recommended-but-not-required functionality to identify "affiliated" origins and prevent their use to circumvent the likewise recommended-but-not-required per-origin quotas is not actually specified in the Web Storage specification (particularly, the criteria for defining affiliated origins are never specified, all that is provided is one example of a set of incompletely-specified origins as an example of affiliated origins), it is inaccurate:
There are two errors in this statement:
A bug is unwanted, undesigned for response. As this was designed in the equipment, it's a design flaw, not a bug.
BTW, the world's first bug was a moth caught in a computers wiring, hence its name. The first bug was indeed a hardware error, a short circuit caused by the moth.
Free Martian Whores!
I think it is time you upgraded from firefox 2.0
Yeah I'd say it's not vulnerable to a harddrive filling exploit.
Opera definitely has issues with site-compatibility - usually due to browser sniffing, than actual standards that aren't implemented.
But it is far and above most of it's kin as far as security is concerned.
browsers, phones, computers, cars, TVs, etc. People get tribal about everything that is branded. When did we go from having faith that brand X made good products go to "everything other than brand X is complete crap!"
I've seen Safari taking up to 8 GB of RAM. This seems due to sloppy variable clearing and this makes the swap file larger and can easily end up taking over your HD.
Safari ends up being the biggest bloated pig with regards to RAM management on my Mac.
- Zav - Imagine a Beowulf cluster of insensitive clods...
Linux Mint fanboys are another similar group.
Ain't those FF memory leak issues already a blast from the past?
There's many, many ways to exhaust the resources through a browser. Just generate a huge document. Or sit in a recursive loop in JS until the stack fills the memory. By using imagination, various other methods can probably be found.
And this is why software homogenization is bad. Webkit is becoming the new IE6 but has far greater consequences because every smartphone is using a webkit based browser by default. Yes it also affected IE and Opera but Opera cut their core developers and are moving to Webkit so soon there will only be 3 major engines with one of them having a complete monopoly on smartphones.
I have a doctorate and spend more time bathing in a given week than on videogames.
I spend more time on videogames than on bathing, and I don't have a doctorate. Hmm... I wonder if there is some sort of correlation?
When our name is on the back of your car, we're behind you all the way!
Since the supercookie BS started my policy is to allow only certain sites to store cookies, and no sites are allows local database storage.
It doesn't seem to actually break any sites either.
How to disable HTML5 DOM Storage:
http://securitygarden.blogspot.com/2010/08/how-to-disable-dom-storage-cookies.html
And everything works just fine without that garbage. Plus, I don't like cookies that are never deleted!
You should try my new HTML5-enabled cloud storage site. Unlimited cheap space, really fast uploads :)
No, it wasn't. The term "bug" predates that (and computers) as a term for faults in electrical systems. The well-known moth that is the source of this myth was described in the notebook to which it was taped as the "first known instance of an actual bug being found", clearly indicating that computer "bugs" had existed before that time, but that the novel thing wasn't the term, but the fact than an actual arthropod was located and identified as the source of the problem.
Not only that, but on his other point, the memshrink project took off, Firefox has been using significantly less memory than other browsers.
On my system, for 5-10 tabs, Firefox uses about half as much memory as Chrome. For a large number of tabs, Chrome explodes to gigabytes of memory while Firefox doesn't go up by much at all.
Not to mention tab groups make organising that large number of tabs a lot easier.
https://blog.mozilla.org/nnethercote/category/memshrink/
-- perl -e'print pack"H*","6e656d6f406d38792e6f7267"'
So, where is the limit supposed to apply? To all subdomains of .com? To all subdomains of .au? How about my ISP who offers me FOO.power.on.net? Should every customer's website on power.on.net have to share the same space?
Poorly thought out standard is poor.
The browsers obviously didn't put a limit in for subdomains because it doesn't make sense. You have no idea where the organisational boundary is with regards to domain vs. subdomain.
Correct solution here I guess is to limit the space your browser can consume (we're in 2013 now, maybe give it 1GB in total, adjustable) and move on.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The lack of ability to determine whether or not bar.foo.com and baz.foo.com are affiliated with one another. They may be the same company, they may be entirely different organsiations. They should NOT therefore be forced to share the same storage quota.
The spec as TFA author is interpreting it is broken. In actual fact, the spec leaves this open as an implementation detail and does not define the behaviour.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
A design flaw is a bug in the design. Dubious historical etymology notwithstanding.
A bug can exist anywhere in your stack - requirements, design, implementation, test.
Hmmm... it appears that you are correct.
Free Martian Whores!
Wondering if this is what happened to me the other day. My HD started to fill up unexpectedly, and it was at a greater speed than I was downloading. It went from over 500GB to about 200GB in 30 minutes. I was looking through all the different processes trying to figure out which one was causing the issue so that I could kill it. I ended up closing Safari down and the 500GB suddenly reappeared. At the time I figured it was a bug. Just makes me wonder if it is this bug.
Sure enough, the cow costume was hanging up next to the superhero outfit and sailors uniform. (S,Spud)
Not HTML5's specification, Firefox's.
No kidding!!! What do you say at this point?
Just to be clear on this, if Mozilla failed to obey the HTML5 spec on offline storage, then that's a design error in Firefox, and even the most complete, perfectly bug-free version of Firefox is not going to address their original oversight. Any more than a completely bug-free version of Internet Explorer 6 is going to be standards-compliant.
This is important stuff. All mistakes are not equal.
No kidding!!! What do you say at this point?