HTML5 Raises New Security Issues

As HTML5 enhances the Web, so too will it bring new vulnerabilities, security experts warn

By Joab Jackson
Fri, August 20, 2010

IDG News Service — When it comes to new security issues, the security team for the Firefox browser have the new version of the Web HyperText Markup Language, HTML5, foremost on the mind.

"Web apps are becoming incredibly rich with HTML5. The browser is starting to manage full-bore applications and not just Web pages," said Sid Stamm, who works on Firefox security issues for the Mozilla Foundation. Stamm was speaking at the Usenix Security Symposium, held last week in Washington D.C.

"There is a lot of attack surface we need to think about," he said.

On the same week Stamm expressed worry over HTML5, developers of the Opera browser were busy fixing a buffer overflow vulnerability that could be exploited using the HTML5 canvas image-rendering feature.

Is it inevitable that the World Wide Web Consortium's (W3C) new set of standards for rendering Web pages, collectively known as HTML5, come with a whole new bundle of vulnerabilities? At least some security researchers are thinking this is the case.

"HTML5 brings a lot of features and power to the Web. You can do so much more [malicious work] with plain HTML5 and JavaScript now than it was ever possible before," said security researcher Lavakumar Kuppan.

The W3C is "gearing this entire redesign over the idea that we will start executing applications within the browser, and we've proven over the years how secure browsers are," said Kevin Johnson, a penetration tester with security consulting firm Secure Ideas. "We have to go back to understanding the browser is a malicious environment. We lost site of that."

Although it is the name of a specification on its own, HTML5 is also often used to describe a collection of loosely interrelated set of standards that, taken together, can be use to build full-fledged web applications. They offer capabilities such as page formatting, offline data storage, image rendition and other aspects. (Though not a W3C spec, JavaScript is also frequently lumped in these standards, so widely used it is in building Web applications).

All this new proposed functionality is beginning to be explored by security researchers.

Earlier this summer, Kuppan and another researcher posted a way to misuse the HTML5 Offline Application Cache. Google (GOOG) Chrome, Safari, Firefox and the beta of the Opera browser have all already implemented this feature, and would be vulnerable to attacks that used this approach, they noted.

The researchers argue that because any Web site can create a cache on the user's computer, and, in some browsers, do so without that user's explicit permission, an attacker could set up a fake log-in page to a site such as a social networking or e-commerce site. Such a fake page could then be used to steal the user's credentials.

Continue Reading

Our Commenting Policies