HTML5 Raises New Security Issues
As HTML5 enhances the Web, so too will it bring new vulnerabilities, security experts warn
Fri, August 20, 2010
IDG News Service — When it comes to new security issues, the security team for the Firefox browser have the new version of the Web HyperText Markup Language, HTML5, foremost on the mind.
"Web apps are becoming incredibly rich with HTML5. The browser is starting to manage full-bore applications and not just Web pages," said Sid Stamm, who works on Firefox security issues for the Mozilla Foundation. Stamm was speaking at the Usenix Security Symposium, held last week in Washington D.C.
"There is a lot of attack surface we need to think about," he said.
On the same week Stamm expressed worry over HTML5, developers of the Opera browser were busy fixing a buffer overflow vulnerability that could be exploited using the HTML5 canvas image-rendering feature.
Is it inevitable that the World Wide Web Consortium's (W3C) new set of standards for rendering Web pages, collectively known as HTML5, come with a whole new bundle of vulnerabilities? At least some security researchers are thinking this is the case.
The W3C is "gearing this entire redesign over the idea that we will start executing applications within the browser, and we've proven over the years how secure browsers are," said Kevin Johnson, a penetration tester with security consulting firm Secure Ideas. "We have to go back to understanding the browser is a malicious environment. We lost site of that."
All this new proposed functionality is beginning to be explored by security researchers.
Earlier this summer, Kuppan and another researcher posted a way to misuse the HTML5 Offline Application Cache. Google (GOOG) Chrome, Safari, Firefox and the beta of the Opera browser have all already implemented this feature, and would be vulnerable to attacks that used this approach, they noted.
The researchers argue that because any Web site can create a cache on the user's computer, and, in some browsers, do so without that user's explicit permission, an attacker could set up a fake log-in page to a site such as a social networking or e-commerce site. Such a fake page could then be used to steal the user's credentials.