A suite of tools known collectively as HTML5 is tipped to make websites as complex and powerful as desktop software. But with great power comes great responsibility, and the same HTML5 features that let websites store data locally, execute code while offline, and access hardware such as cameras and microphones can also be used maliciously, according to presentations at this week’s Black Hat security conference in Las Vegas. So far, antivirus and firewall software can do little to protect users.
“There’s a lot of opportunity for hijacking the browsers with HTML5,” said Shreeraj Shah, founder of Indian security company Blueinfy, in a presentation on Thursday. “You can compare HTML5 with a small operating system running in your browser.”
Many developers are turning their attention to HTML5, seeing it as a way to make websites more powerful and capable, and a means of developing software that will run on any device with a suitable browser (see “The Web is Reborn”). So far though, little attention has been paid to the risks that could be introduced by the technology.
Shah walked the audience through his “top 10” attacks made possible using HTML5, most of which involved a person visiting a malicious site that used an HTML5 trick to gain access to their information stored on their computer, or to trick them into providing access to such information. Unlike most of the exploits presented at Black Hat, many of these tricks were made possible by the functionality built into HTML5.
One example saw a person presented with a fake login when he tried to access a real bank’s website; another trick used HTML5 to explore the target’s internal network; and a third used HTML5 to inspect data, potentially including personal information, cached in the browser by another site.
The tricks demonstrated were not coupled with methods to break outside a browser and take complete control of a computer, but HTML5 could be used that way, said Shah. He also noted that browsers on mobile devices can also run HTML5 sites and so face the same challenges, and added that HTML5 is used inside many mobile apps. “A hybrid application is around 15 percent HTML5 and the rest native code,” said Shah. “The trend on mobile is shifting to hybrid.”
Speaking after his presentation, Shah said that guarding Web users against the problems he had identified would require “a combination of browser makers fixing vulnerabilities that they have, and ensuring people use HTML5 correctly.”
Antivirus software could, in theory, check Web code, Shah said. However, the usual approach—looking for “fingerprints” of known dangerous programs—doesn’t transfer well to this area, he said. “Exploits are specific to the particular code used, so it’s not something they can easily look for,” he said.
Sergey Shekyan and two colleagues, all with cloud security company Qualys, gave their own demonstration of the dangers of new Web technology on Thursday. Shekyan used a technology known as Websockets, usually bracketed as part of HTML5, to take remote control of a browser as it visited a website.
Websockets allow the provider of a webpage to create a direct, fast connection to a person’s browser that is useful for features such as streaming video or interactive games. However, Shekyan and colleagues found that many sites use Websocket connections without encryption or other protections. The malicious site they created used a Websocket connection to gain remote control of a Chrome Web browser without the user knowing about it. Shekyan showed how the browser could be directed to silently attack other sites, or steal browsing history and cookies.
“None of the mechanisms that are supposed to catch malicious traffic will work because there are no firewalls that are aware of Websocket protocol,” said Shekyan. “They just allow any kind of connection over Websockets.” That could be changed, he said, but it will be a whole new feature for firewall-type programs, so may take time to implement.