Skip to Content
Uncategorized

New Web Standards Bring New Security Worries

HTML5, which enables Web pages to mimic conventional software, also introduces new security problems.
July 27, 2012

A suite of tools known collectively as HTML5 is tipped to make websites as complex and powerful as desktop software. But with great power comes great responsibility, and the same HTML5 features that let websites store data locally, execute code while offline, and access hardware such as cameras and microphones can also be used maliciously, according to presentations at this week’s Black Hat security conference in Las Vegas. So far, antivirus and firewall software can do little to protect users.

“There’s a lot of opportunity for hijacking the browsers with HTML5,” said Shreeraj Shah, founder of Indian security company Blueinfy, in a presentation on Thursday. “You can compare HTML5 with a small operating system running in your browser.”

Many developers are turning their attention to HTML5, seeing it as a way to make websites more powerful and capable, and a means of developing software that will run on any device with a suitable browser (see “The Web is Reborn”). So far though, little attention has been paid to the risks that could be introduced by the technology.

Shah walked the audience through his “top 10” attacks made possible using HTML5, most of which involved a person visiting a malicious site that used an HTML5 trick to gain access to their information stored on their computer, or to trick them into providing access to such information. Unlike most of the exploits presented at Black Hat, many of these tricks were made possible by the functionality built into HTML5.

One example saw a person presented with a fake login when he tried to access a real bank’s website; another trick used HTML5 to explore the target’s internal network; and a third used HTML5 to inspect data, potentially including personal information, cached in the browser by another site.

The tricks demonstrated were not coupled with methods to break outside a browser and take complete control of a computer, but HTML5 could be used that way, said Shah. He also noted that browsers on mobile devices can also run HTML5 sites and so face the same challenges, and added that HTML5 is used inside many mobile apps. “A hybrid application is around 15 percent HTML5 and the rest native code,” said Shah. “The trend on mobile is shifting to hybrid.”

Speaking after his presentation, Shah said that guarding Web users against the problems he had identified would require “a combination of browser makers fixing vulnerabilities that they have, and ensuring people use HTML5 correctly.”

Antivirus software could, in theory, check Web code, Shah said. However, the usual approach—looking for “fingerprints” of known dangerous programs—doesn’t transfer well to this area, he said. “Exploits are specific to the particular code used, so it’s not something they can easily look for,” he said.

Sergey Shekyan and two colleagues, all with cloud security company Qualys, gave their own demonstration of the dangers of new Web technology on Thursday. Shekyan used a technology known as Websockets, usually bracketed as part of HTML5, to take remote control of a browser as it visited a website.

Websockets allow the provider of a webpage to create a direct, fast connection to a person’s browser that is useful for features such as streaming video or interactive games. However, Shekyan and colleagues found that many sites use Websocket connections without encryption or other protections. The malicious site they created used a Websocket connection to gain remote control of a Chrome Web browser without the user knowing about it. Shekyan showed how the browser could be directed to silently attack other sites, or steal browsing history and cookies.

“None of the mechanisms that are supposed to catch malicious traffic will work because there are no firewalls that are aware of Websocket protocol,” said Shekyan. “They just allow any kind of connection over Websockets.” That could be changed, he said, but it will be a whole new feature for firewall-type programs, so may take time to implement.

Deep Dive

Uncategorized

Five poems about the mind

DREAM VENDING MACHINE I feed it coins and watch the spring coil back,the clunk of a vacuum-packed, foil-wrappeddream dropping into the tray. It dispenses all kinds of dreams—bad dreams, good dreams,short nightmares to stave off worse ones, recurring dreams with a teacake marshmallow center.Hardboiled caramel dreams to tuck in your cheek,a bag of orange dreams…

Work reinvented: Tech will drive the office evolution

As organizations navigate a new world of hybrid work, tech innovation will be crucial for employee connection and collaboration.

lucid dreaming concept
lucid dreaming concept

I taught myself to lucid dream. You can too.

We still don’t know much about the experience of being aware that you’re dreaming—but a few researchers think it could help us find out more about how the brain works.

panpsychism concept
panpsychism concept

Is everything in the world a little bit conscious?

The idea that consciousness is widespread is attractive to many for intellectual and, perhaps, also emotional
reasons. But can it be tested? Surprisingly, perhaps it can.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.