Exploit Fills Up Hard Drive From a Single Web Page
Chrome, Internet Explorer and Safari are all vulnerable.
Web developer, designer and Stanford University student Feross Aboukhadijeh recently discovered a method of leveraging HTML5 to fill a user's hard drive with data -- which he demonstrates at the appropriately-named FillDisk.com.
"Aboukhadijeh explains that the HTML5 Web Storage standard was developed to allow sites to store larger amounts of data on the visitor’s computer," writes Softpedia's Eduard Kovacs. "However, the standard advises browser vendors to set their own limitations for the amount of storage space for each website to avoid abuse."
"Indeed, Chrome, IE, and Safari limit the amount of data that can be downloaded, but the restriction is placed on subdomains rather than the upper-level domain to which they belong," writes Ars Technica's Dan Goodin. "FillDisk.com works by directing subdomains such as 1.filldisk.com, 2.filldisk.com, and so on to each send the maximum amount allowed. Of the browsers Aboukhadijeh tested, only Mozilla Firefox capped the download amount."
"The demo which Aboukhadijeh created is relatively harmless, but I suspect his source code will be utilised by a lot of pranksters before the browser developers fix their implementation," writes Lifehacker's Angus Kidman.