Submit News Alternative Tip Form

Flaw in HTML5 Allows Gigabytes of Data to be Downloaded

Exploit in HTML5 affecting all modern browsers. Only Firefox is safe.

Gigabytes of data could be downloaded to a user’s computer due to a vulnerability in the HMTML5 LocalStorage API.

A exploit exposed by hacker Feross Aboukhadijeh has discovered a way using the LocalStorage API to download gigabytes of data on to a user’s computer with no warning. This vulnerability affects all modern browsers; Chrome, Safari, Opera and Internet Explorer. Firefox is unaffected by this exploit.

One of HTML5′s key features is the ability to save data on to user’s computer for offline capabilities, both Gmail and Google Docs use this feature to provide offline access to their users. The HTML5 standard does recommend for browsers to put a cap on LocalStorage to prevent this loophole, however most modern browsers have not limited LocalStorage. Only Firefox has implemented a limit on LocalStorage.

Feross has creaed a website called FillDisk.com, which takes advantage of this loophole, and will download pictures of cats on to the user’s computer. Feross has logged a bug reports for Chrome, Safari, Internet Explorer and Opera to resolve this issue.

  • Andrew Mezzi

    Most people’s internet speed is a few mbps. This isn’t fast enough to download gigabytes of data.

    • Sebastiaan Franken

      I don’t know where you live in the world but 500/500 is normal here…

      • Andrew Mezzi

        I live in suburban New England. I you the average Comcast internet plan. The plan says that it’s more, but in real world usage, I get 1-2 Mbps down and 500 kbps up.

    • phaux

      The data doesn’t need to be downloaded. It can be generated by the script or the script can save big empty files as well.

    • Ed Hewitt

      The point is that large amounts of data could be downloaded to the user’s computer without them knowing. Doesn’t have to be gigabytes worth, could be a couple of hundred megabytes