Gigabytes of data could be downloaded to a user’s computer due to a vulnerability in the HMTML5 LocalStorage API.
A exploit exposed by hacker Feross Aboukhadijeh has discovered a way using the LocalStorage API to download gigabytes of data on to a user’s computer with no warning. This vulnerability affects all modern browsers; Chrome, Safari, Opera and Internet Explorer. Firefox is unaffected by this exploit.
One of HTML5’s key features is the ability to save data on to user’s computer for offline capabilities, both Gmail and Google Docs use this feature to provide offline access to their users. The HTML5 standard does recommend for browsers to put a cap on LocalStorage to prevent this loophole, however most modern browsers have not limited LocalStorage. Only Firefox has implemented a limit on LocalStorage.
Feross has creaed a website called FillDisk.com, which takes advantage of this loophole, and will download pictures of cats on to the user’s computer. Feross has logged a bug reports for Chrome, Safari, Internet Explorer and Opera to resolve this issue.