Ming Chow, a lecturer at the computer science department of Tufts University, said last week in a talk at the Defcon hacker conference that the next major version of the hypertext markup language (HTML) is full of holes that could make it easy for malware authors to place rogue code into web sites and applications.
“The attack surface just got significantly larger,” Chow said in a follow-up interview. “Now with HTML5, a large population of victims can be reached very easily thanks to the complexities of the new web browser.”
That’s a problem because a number of HTML5 supporters among big tech companies want it to become the lingua franca of the web, where developers can create a single HTML5 application and have it run on web sites, mobile phones, and other devices.
HTML5 is still a work in progress, and it has major backing from Google, Microsoft and Apple.
Chow isn’t sure that the security vulnerabilities can be easily fixed. Rather, he says that developers may simply have to be aware of the problems and design around them as much as possible.
Among the features that could invite attack is the use of client-side storage in HTML5 applications. Client-side storage is a way to store data on a user’s hard drive rather than on a server. That makes the web app available offline and helps improve performance, but Chow says it is a vector for abuse. The size of the data for things like “cookies,” or sensitive data that helps identify a user, is now significantly higher. It used to be four kilobytes of data that could be stored, but now it’s more like 5 megabytes for client-side storage. And as Chow demonstrated in his talk, it is not so hard to get access to that data via a “cross-site scripting vulnerability” in the web application.
An attacker could set up a fake log-in page to a site in the client-side data storage on the user’s computer, and that fake page could be used to steal the user’s credentials. This is like an old exploit being used in a new attack environment. But it is also easier to hide evidence of the attack.
“If you don’t sanitize that data correctly, you can get at that data,” Chow said. “All that stuff you heard in the past about sanitizing data is just as important when the data is stored on the client side. These are lessons from 2004. Now we are in 2011. Everything in local storage is susceptible to being stolen. The problem has gotten that much greater. As dumb as it sounds, you’re always going to have developers who are going to store a lot of sensitive information in local storage.”
HTML5 can also tap the 2D graphics processing power of the device it is running on to accelerate the HTML5 applications. You can play videos without having to download a plug-in first. But that is also another way to introduce vulnerabilities, especially if there is a flaw in the codec — the encoder and decoder engine — for playing the video. Those codecs can be built by third parties.
“You just don’t know what is going on behind the scenes there,” Chow said. “We’re venturing into uncharted territory. That’s no man’s land.”
Still another feature is geolocation, which can tell web applications where you are for a variety of purposes. But an attacker can use the geolocation feature to determine your location without your knowledge.
HTML5 is still a work in progress and it isn’t done yet. (We’ve checked with them for a response). It is being incorporated into browsers such as Google Chrome and Firefox, as well as Microsoft’s Internet Explorer 9. Chow said he hasn’t had a lot of feedback yet from the HTML5 working group. He isn’t optimistic because web sites are still being broken into using attacks from 2004 such as SQL injection, where the attacker fetches more data than necessary from a web database table.
Chow isn’t alone in raising security issues. A recent report by the European Union’s cyber security agency, ENISA, said the security threats number around 50 and they aren’t that small. One way to mitigate is to use SSL, or secure socket layer,
“HTML5 is not going to go away anytime soon,” Chow said. “Starting over with it is not a reasonable thing to do. The writers of the specification can do one thing. But the developers themselves need to keep an eye on security. Whenever there is a new language, there isn’t a lot of attention on security. It’s so scattered now. We haven’t trained web developers well enough. Adding this stack of HTML5 is only going to make it worse. We have to get security into the mindset of developers.”
He added, “Security seems like a complete afterthought in putting together the HTML5 specification. A lot of stuff to defend yourself — this is not new.”