Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

A suite of tools known collectively as HTML5 is tipped to make websites as complex and powerful as desktop software. But with great power comes great responsibility, and the same HTML5 features that let websites store data locally, execute code while offline, and access hardware such as cameras and microphones can also be used maliciously, according to presentations at this week’s Black Hat security conference in Las Vegas. So far, antivirus and firewall software can do little to protect users.

“There’s a lot of opportunity for hijacking the browsers with HTML5,” said Shreeraj Shah, founder of Indian security company Blueinfy, in a presentation on Thursday. “You can compare HTML5 with a small operating system running in your browser.”

Many developers are turning their attention to HTML5, seeing it as a way to make websites more powerful and capable, and a means of developing software that will run on any device with a suitable browser (see “The Web is Reborn”). So far though, little attention has been paid to the risks that could be introduced by the technology.

Shah walked the audience through his “top 10” attacks made possible using HTML5, most of which involved a person visiting a malicious site that used an HTML5 trick to gain access to their information stored on their computer, or to trick them into providing access to such information. Unlike most of the exploits presented at Black Hat, many of these tricks were made possible by the functionality built into HTML5.

One example saw a person presented with a fake login when he tried to access a real bank’s website; another trick used HTML5 to explore the target’s internal network; and a third used HTML5 to inspect data, potentially including personal information, cached in the browser by another site.

The tricks demonstrated were not coupled with methods to break outside a browser and take complete control of a computer, but HTML5 could be used that way, said Shah. He also noted that browsers on mobile devices can also run HTML5 sites and so face the same challenges, and added that HTML5 is used inside many mobile apps. “A hybrid application is around 15 percent HTML5 and the rest native code,” said Shah. “The trend on mobile is shifting to hybrid.”

Speaking after his presentation, Shah said that guarding Web users against the problems he had identified would require “a combination of browser makers fixing vulnerabilities that they have, and ensuring people use HTML5 correctly.”

Antivirus software could, in theory, check Web code, Shah said. However, the usual approach—looking for “fingerprints” of known dangerous programs—doesn’t transfer well to this area, he said. “Exploits are specific to the particular code used, so it’s not something they can easily look for,” he said.

Sergey Shekyan and two colleagues, all with cloud security company Qualys, gave their own demonstration of the dangers of new Web technology on Thursday. Shekyan used a technology known as Websockets, usually bracketed as part of HTML5, to take remote control of a browser as it visited a website.

Websockets allow the provider of a webpage to create a direct, fast connection to a person’s browser that is useful for features such as streaming video or interactive games. However, Shekyan and colleagues found that many sites use Websocket connections without encryption or other protections. The malicious site they created used a Websocket connection to gain remote control of a Chrome Web browser without the user knowing about it. Shekyan showed how the browser could be directed to silently attack other sites, or steal browsing history and cookies.

“None of the mechanisms that are supposed to catch malicious traffic will work because there are no firewalls that are aware of Websocket protocol,” said Shekyan. “They just allow any kind of connection over Websockets.” That could be changed, he said, but it will be a whole new feature for firewall-type programs, so may take time to implement.

2 comments. Share your thoughts »

Tagged: Computing, Web, software, hybrid, Black Hat, HTML5, web pages

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me
×

A Place of Inspiration

Understand the technologies that are changing business and driving the new global economy.

September 23-25, 2014
Register »