A Web developer has demonstrated a simple-to-execute exploit that allows websites to surreptitiously bombard visitors' storage devices with gigabytes of junk data.
As its name suggests, FillDisk.com loads an almost unlimited amount of data onto hard drives of people who access the site. It requires no user interaction and works with the Google Chrome, Microsoft Internet Explorer, and Apple Safari browsers. It adds 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive, according to Feross Aboukhadijeh, the Web developer and computer science grad student who created the proof-of-concept site.
FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors' hard drives. The functionality can be useful when end users are filling out long forms. If the browser crashes before the form has been completed, the data that's already been entered will be available when the person visits the site later. The creators of the standard specifically warn that browser developers should take steps to ensure websites can't abuse the feature by writing unlimited amounts of data.
Indeed, Chrome, IE, and Safari limit the amount of data that can be downloaded, but the restriction is placed on subdomains rather than the upper-level domain to which they belong. FillDisk.com works by directing subdomains such as 1.filldisk.com, 2.filldisk.com, and so on to each send the maximum amount allowed. Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount. The exploit is simple to implement. Additional details are here and the source code is here.
To be fair to the developers of the affected browsers, the exploit doesn't appear to expose private data or permit the remote execution of malicious code. Compared to many vulnerabilities, the weakness abused by FillDisk.com seems minor. Still, it's not hard to imagine someone e-mailing malicious links to large number of people just to get a rise. In addition to filling up the receivers' hard drives with data, the exploit can cause some versions of Chrome to crash.
Chrome developers responding to Aboukhadijeh's bug report seemed to agree that the behavior isn't ideal. "There is a SHOULD recommendation in the HTML specification suggesting that UAs guard against this behavior," one wrote. "Firefox seems to implement this, we do not."
