HTML5 Storage Bug Can Fill Your Hard Drive

Dystopian Rebel writes "A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE. Feross Aboukhadijeh has demonstrated that these browsers allow unbounded local storage. 'The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). ... The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer. However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. ... However, Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Aboukhadijeh has logged the bug with Chromium and Apple, but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."

Disable Javascript

Also, you're not vulnerable if you have javascript enabled.

Such is life when your browser automatically downloads and runs arbitrary untrusted software.

It's a feature!

[sootman]

1.porn.com, 2.porn.com, 3.porn.com...

Actually, that could be handy -- you could store lots of music from song.album.artist.someMP3site.com.

Re:It's a feature!

[sootman]

Come to think of it, it could lead to problems. What if you read a lot of blogs hosted on wordpress.com? Or use many apps on *.google.com?

Re:Bug, or exploit?

[DarkRat]

no. it's a bug. the HTML5 spec clearly states that this exact behaviour should be looked out for and blocked

Mobile devices?

[dclozier]

Devices with smaller drives like a cell phone, tablet or laptops like Google's Pixel would be more vulnerable. Perhaps if you created some javascript that simply made requests to iterated subdomains that simply returned a small amount of javascript that then generated large amounts of text to store locally? The bandwidth needed would be much less then and the same amount of damage done. I have no idea if this scenario is possible though so take this with a grain of salt.

Re:So What's The Point

[Qzukk]

Subdomains are free. With a wildcard DNS record, you have nearly an infinite supply of them.

Re:I wonder how fast I can fill my harddisk...

[claar]

You're assuming that you have to download the files. It's highly likely the data could be generated locally in JavaScript.

Re:So What's The Point

[The+Mighty+Buzzard]

Really? You've never admin'd a dns server then. It's trivial to have one respond to wildcard subdomain names that you could generate dynamically on page load with one line of javascript.

Re:So What's The Point

[bill_mcgonigle]

If you have a popular blog, there's no need to pay for network backup anymore - just drop enough 5MB blocks encrypted and with decent FEC to each of your readers. If you ever have a failure, just throw up a basic page with a funny cat picture and start restoring from your distributed backup.

Re:So What's The Point

[arth1]

It doesn't take much work or time to set up a wildcard CNAME entry pointing to a single web server that answers a wildcard. You now have billions of subdomains with a couple of minutes of work.
The web instance serves a short javascript which generates a boatload of data on the client side, and then calls a random subdomain to reload the js with a new domain name.

All this can be linked to a single ad (or blog comment, for vulnerable boards that allow css exploits).

Re:So What's The Point

[thetoadwarrior]

It's a web app, let the client generate it. You generate the free sub domains with a script or something a bit more intelligent but either way the cost should be minimal. I assume as well you wouldn't necessarily need to fill it completely. A gig or two might ruin the browser's performance.

much easier than you think

, transfer a lot of data and incur bandwidth charges,

Posting anonymously since this shows how it could be done.

I don't see any need to transfer data. Simply generate random strings programatically. One could easily write a few lines of code. The storage API is a 'key' and 'value' system, so just randomly generate keys and randomly generate values in a loop. Super easy. For the subdomain stuff, like others have said, wildcard for DNS. Then just serve the small js file that runs, then programtically generates a new random subdomain to dynamically load the js file.

The end point is that you don't need a lot of data bandwidth to screw up someone's computer.

Re:Bug, or exploit?

[K.+S.+Kyosuke]

Except that the specification is perfectly fine, it's the implementation that does something different. Or do you claim that the HTML5 spec is wrong when it says that browsers should not allow for this DoS attack to happen? Stop being a dick and admit your mistake.

Read the spec: recommendation, not requirement

[DragonWriter]

no. it's a bug. the HTML5 spec clearly states that this exact behaviour should be looked out for and blocked

Its not a bug. While the Web Storage API Candidate Recommendation (related to, but not part, of, the HTML5 spec) both says that user agents should set a per-origin storage limit and should identify and prevent use of "origins of affiliated sites" to circumvent that limit, it doesn't specify either what constitutes an "affiliated site", and neither of those things that it says "should" be done are requirements of the specification. "Should" has a quite specific meaning in the specification (defined by reference in the spec to RFC2119), and its not the same as "must", instead:

SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

So, its both a recommendation rather than a requirement, and not specified clearly enough to be implemented. There are some cases where origins of the same second-level domain are meaningfully affiliated, and some times where they are not (for a clear case of the latter, consider subdomains of ".co.uk".) Its pretty clear that origins which differ only in protocol are almost always going to be affiliated by any reasonable definition (e.g., http://www.example.com/ and https://www.example.com/ which are different origins), but no automatic identification of origin affiliation by subdomain can be done simply without understanding of per-domain policies from the TLD down to the first level at which all subdomains are affiliated. (And this is a problem which will get worse with the planned explosion of TLDs.) W

Re:Read the spec: recommendation, not requirement

[DragonWriter]

You must be awful fun when talking to customers. They tend not to understand the distinction between "shall" and "should".

There is a reason why internet specifications (whether or not they are from IETF, and often whether or not they are even intended as standards-track) reference the RFC2119 definitions. "MUST" vs. "SHOULD" is an important distinction.

In this particular case, whats even more important is that the recommended functionality at issue isn't defined at all, there is just one example -- and the example doesn't fully specify the origins, so its an incomplete example -- given and no definition of the parameters of the identification of "affiliated origins". So if it was a "MUST", it would be a broken standard (since it would be impossible to assess conformance), and as it is, its impossible to say whether a particular implementation even implements the recommended functionality.

"there may exist valid reasons in particular circumstances to ignore a particular item" - in other words, this is a case where the feature should ALWAYS be applied to generic software because that must deal with all circumstances, not just "particular" ones

Any particular user agent is a "particular circumstance" (it is specific software with a specific use case within the scope of all possible kinds of user agents which might implement the Web Storage API); there is no such thing as an implementation that must deal with "all circumstances".

It really should not be hard to have a popup that says "This web page wants to create local storage on your computer allow/disallow"

Its not at all hard, but that's not related to the recommendation to implement per-origin quotas, or the further recommendation to build on top of the per-origin quotas functionality to detect and limit the use of "affiliated origins" to circumvent the per origin quotas, which is what is at issue here. Per-origin allow/disallow for Web Storage use isn't even a recommendation of the specification. (Though it is explicitly permitted behavior.)

Re:So What's The Point

[Jiro]

That's not true.

"Nearly infinite" means "it's not infinite, but it's large enough that it has most of the same practical effects as it would if it were infinite".

You seem to be interpreting the word "nearly" to mean "has a numerical value close to" rather than "has effects similar to". Obviously it is nonsensical for something to be nearly infinite using that first definition, but that should be a warning sign that you're not using the definition that people mean, not that everyone else is speaking nonsense.

Re:So What's The Point

[TheRaven64]

You misunderstand how the attack works. The client-side code is allowed to store 5-10MB per domain, but it can generate this data (math.random() will do it fine). The per-domain thing mean that you need one HTTP request per 5-10MB, but on the server that will be a wildcard DNS entry always resolving to the same server. If you set the cache headers with a sufficiently long timeout, then you can probably have a single site hosting the .js (so the browser will only request it once) and then just send a tiny HTML page referencing it. The JavaScript then creates a new iframe with a new (random) subdomain as the target, and so you each HTTP request to your server (total of about 1KB of traffic) generates 5-10MB of data on the client's hard disk.