A web developer has demonstrated a proof of concept exploit that allows websites to bombard visitors’ computer with masses of data and it works with the Internet Explorer, Chrome and Safari browsers.
Computer science graduate Feross Aboukhadijeh has demonstrated his work on Filldisk.com where his proof of concept can download up to 1GB of data every sixteen seconds! (of course this is subject to your maximum internet download speed).
Interestingly, it requires absolutely no user interaction in order to work – merely visiting the site will kick the process off.
But this isn’t some strange new flaw that has been discovered here – its actually part of the Web Storage Standard of HTML5 that purposely allows large amounts of data to be stored for development purposes and also for recovery purposes should the browser crash.
“Indeed, Chrome, IE, and Safari limit the amount of data that can be downloaded, but the restriction is placed on subdomains rather than the upper-level domain to which they belong. FillDisk.com works by directing subdomains such as 1.filldisk.com, 2.filldisk.com, and so on to each send the maximum amount allowed.”
Of the major browsers only Firefox is immune to this particular exploit as it caps the amount of data that can be downloaded.
In the grand scheme of things this isn’t the most devilish exploit you’ll ever hear about of course but I can still imagine a few people having ‘fun’ with this. Can you?