'Web code weakness allows data dump on PCs' diff viewer (0/1)

This article is from the source 'bbc' and was first published or seen on March 01, 2013 18:54 (UTC). It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.bbc.co.uk/news/technology-21628622

The article has changed 3 times. There is an RSS feed of changes available.

Previous version 1 2 Next version

Previous version 1 2 Next version

Version 0	Version 1
Web code weakness allows data dump on PCs	Web code weakness allows data dump on PCs
2013-03-01 18:55:31 UTC	2013-03-02 00:10:31 UTC (about 5 hours later)
Gigabytes of junk data could be dumped onto PCs via a loophole in web code, a developer has found.	Gigabytes of junk data could be dumped onto PCs via a loophole in web code, a developer has found.
The loophole exploits a feature of HTML 5 which defines how websites are made and what they can do.	The loophole exploits a feature of HTML 5 which defines how websites are made and what they can do.
~~Developer ~~Faross~~ Aboukhadijeh found the bug and set up a demo page that fills visitors hard drives with pictures of cartoon cats.~~	Developer Feross Aboukhadijeh found the bug and set up a demo page that fills visitors hard drives with pictures of cartoon cats.
In one demo, Mr Aboukhadijeh managed to dump one gigabyte of data every 16 seconds onto a vulnerable Macbook.	In one demo, Mr Aboukhadijeh managed to dump one gigabyte of data every 16 seconds onto a vulnerable Macbook.
Clever code	Clever code
Most major browsers, Chrome, Internet Explorer, Opera and Safari, were found to be vulnerable to the bug, said Mr Aboukhadijeh.	Most major browsers, Chrome, Internet Explorer, Opera and Safari, were found to be vulnerable to the bug, said Mr Aboukhadijeh.
While most websites are currently built using version 4 of the Hyper Text Markup Language (HTML), that code is gradually being superseded by the newer version 5.	While most websites are currently built using version 4 of the Hyper Text Markup Language (HTML), that code is gradually being superseded by the newer version 5.
One big change brought in with HTML 5 lets websites store more data locally on visitors' PCs. Safeguards built into the "local storage" specification should limit how much data can be stored. Different browsers allow different limits but all allow at least 2.5 megabytes to be stored.	One big change brought in with HTML 5 lets websites store more data locally on visitors' PCs. Safeguards built into the "local storage" specification should limit how much data can be stored. Different browsers allow different limits but all allow at least 2.5 megabytes to be stored.
However, Mr Aboukhadijeh found a way round this cap by creating lots of temporary websites linked to the one a person actually visited. He found that each one of these associated sites was allowed to store up to the limit of data because browser makers had not written code to stop this happening. By endlessly creating new, linked websites the bug can be used to siphon huge amounts of data onto target PCs.	However, Mr Aboukhadijeh found a way round this cap by creating lots of temporary websites linked to the one a person actually visited. He found that each one of these associated sites was allowed to store up to the limit of data because browser makers had not written code to stop this happening. By endlessly creating new, linked websites the bug can be used to siphon huge amounts of data onto target PCs.
Only Mozilla's Firefox capped storage at 5MB and was not vulnerable, he found.	Only Mozilla's Firefox capped storage at 5MB and was not vulnerable, he found.
"Cleverly coded websites have effectively unlimited storage space on visitor's computers," wrote Mr Aboukhadijeh in a blogpost about the bug.	"Cleverly coded websites have effectively unlimited storage space on visitor's computers," wrote Mr Aboukhadijeh in a blogpost about the bug.
Code to exploit the bug has been released by Mr Aboukhadijeh and he set up a website, called Filldisk that, on vulnerable PCs, dumps lots of images of cats on to the hard drive. So far, no malicious use of the exploits has been observed.	Code to exploit the bug has been released by Mr Aboukhadijeh and he set up a website, called Filldisk that, on vulnerable PCs, dumps lots of images of cats on to the hard drive. So far, no malicious use of the exploits has been observed.
In a bid to solve the problem, bug reports about the exploit have been filed with major browser makers.	In a bid to solve the problem, bug reports about the exploit have been filed with major browser makers.