HTML5 raises new security issues

As HTML5 enhances the Web, so too will it bring new vulnerabilities, security experts warn

When it comes to new security issues, the security team for the Firefox browser have the new version of the Web HyperText Markup Language, HTML5, foremost on the mind.

"Web apps are becoming incredibly rich with HTML5. The browser is starting to manage full-bore applications and not just Web pages," said Sid Stamm, who works on Firefox security issues for the Mozilla Foundation. Stamm was speaking at the Usenix Security Symposium, held last week in Washington D.C.

"There is a lot of attack surface we need to think about," he said.

On the same week Stamm expressed worry over HTML5, developers of the Opera browser were busy fixing a buffer overflow vulnerability that could be exploited using the HTML5 canvas image-rendering feature.

Is it inevitable that the World Wide Web Consortium's (W3C) new set of standards for rendering Web pages, collectively known as HTML5, come with a whole new bundle of vulnerabilities? At least some security researchers are thinking this is the case.

"HTML5 brings a lot of features and power to the Web. You can do so much more [malicious work] with plain HTML5 and JavaScript now than it was ever possible before," said security researcher Lavakumar Kuppan.

The W3C is "gearing this entire redesign over the idea that we will start executing applications within the browser, and we've proven over the years how secure browsers are," said Kevin Johnson, a penetration tester with security consulting firm Secure Ideas. "We have to go back to understanding the browser is a malicious environment. We lost site of that."

Although it is the name of a specification on its own, HTML5 is also often used to describe a collection of loosely interrelated set of standards that, taken together, can be use to build full-fledged web applications. They offer capabilities such as page formatting, offline data storage, image rendition and other aspects. (Though not a W3C spec, JavaScript is also frequently lumped in these standards, so widely used it is in building Web applications).

All this new proposed functionality is beginning to be explored by security researchers.

Earlier this summer, Kuppan and another researcher posted a way to misuse the HTML5 Offline Application Cache. Google Chrome, Safari, Firefox and the beta of the Opera browser have all already implemented this feature, and would be vulnerable to attacks that used this approach, they noted.

The researchers argue that because any Web site can create a cache on the user's computer, and, in some browsers, do so without that user's explicit permission, an attacker could set up a fake log-in page to a site such as a social networking or e-commerce site. Such a fake page could then be used to steal the user's credentials.

Other researchers were divided about the value of this finding.

"It's an interesting twist but it does not seem to offer network attackers any additional advantage beyond what they can already achieve," wrote Chris Evans on the Full Disclosure mailing list. Evans is the creator of the Very Secure File Transfer Protocol (vsftp) software.

Dan Kaminsky, chief scientist of the security research firm Recursion Ventures, agreed that this work is a continuation of attacks developed before HTML5. "Browsers don't just request content, render it, and throw it away. They also store it for later use ... Lavakumar is observing that the next-generation caching technologies suffer this same trait," he said, in an e-mail interview.

Critics agreed that this attack would rely on a site not using Secure Sockets Layer (SSL) to encrypt data between the browser and Web page server, which is commonly practiced. But even if this work did not unearth a new type of vulnerability, it does show that an old vulnerability can be reused in this new environment.

Johnson says that, with HTML5, many of the new features constitute threats on their own, due to how they increase the number of ways an attacker could harness the user's browser to do harm of some sort.

"For years security has focused on vulnerabilities--buffer overflows, SQL injection attacks. We patch them, we fix them, we monitor them," Johnson said. But in HTML5's case, it is often the features themselves "that can be used to attack to us," he said.

As an example, Johnson points to Google's Gmail, which is an early user of HTML5's local storage capabilities. Before HTML5, an attacker may have had to steal cookies off a machine and decode them to get the password for an online e-mail service. Now, the attacker needs only to gain entry into the user's browser, where Gmail stories a copy of the inbox.

"These feature sets are scary," he said. "If I can find a flaw in your Web application, and inject HTML5 code, I can modify your site and hide things I don't want you to see."

With local storage, an attacker can read data from your browser, or insert other data there without your knowledge. With geolocation, an attacker can determine your location without your knowledge. With the new version of Cascading Style Sheets (CSS), an attacker can control what elements of a CSS-enhanced page you can see. The HTML5 WebSocket supplies a network communication stack to the browser, which could be misused for surreptitious backdoor communications.

This is not to say that the browser makers are oblivious to this issue. Even as they work to add in the support for the new standards, they are looking at ways to prevent their misuse. At the Usenix symposium, Stamm noted some of the techniques that the Firefox team is exploring to mitigate damage that could be done with these new technologies.

For instance, they are working on an alternative plug-in platform, called JetPack, that would keep tighter control of what actions a plug-in could execute. "If we have complete control of the [application programming interface], we're able to say 'This add-on is requesting access to, would you allow it?'" Stamm said.

JetPack may also use a declarative security model, in which the plug-in must declare to the browser each action it intends to undertake. The browser then would monitor the plug-in to ensure it stays within these parameters.

Still, whether browser makers can do enough to secure HTML5 remains to be seen, critics contend.

"The enterprise has to start evaluating whether it is worth these features to roll out the new browsers," Johnson said. "This is one of the few times you may hear 'You know, maybe [Internet Explorer]6 was better.'"

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags operaapplication developmentWeb services developmentLanguages and standardsSOAArchitectureMozilla Foundationsoftwareinternethtml 5html5

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?