updated 06:15 pm EST, Mon March 4, 2013
Firefox, older 32-bit browsers may avoid worst effects
On the heels of more problems with browser plug-ins such as Java and Flash, a newly-discovered flaw in HTML5 -- used throughout the web and a fundamental part of all modern browsers -- can be used maliciously to fill hard drives to capacity with junk data. The exploit can be demonstrated on a website set up to document the flaw, called Filldisk. All browsers are susceptible to it -- though Mozilla's Firefox features a hard cap of 5MB of such data and thus mitigates the effect, while some older 32-bit browsers may crash rather than fill up the drive.
A developer named Feross Aboukhadijeh discovered the problem, which concerns how HTML5 handles local data storage. Though all browsers have a data cap (usually set by the user), it can be bypassed by creating linked "temporary" websites that each get the same storage allotment as the primary site, all invisible to the visitor. The HTML5 specification actually already addresses this problem and says that "affiliate" sites should be limited to the cap assigned to the primary site, however most browsers (apart from Firefox) don't honor the guideline.
The practical effect is that a malicious website could dump sufficient data onto a hard drive to fill it up after only a few minutes -- Aboukhadijeh was able to pump as much as 1GB of data every 16 seconds on some machines. He had already reported the flaw to all browser makers before creating the public website. No malicious use of the flaw has been seen in the wild so far. Visitors to the Filldisk site can see the effect in action, but can reclaim all the space by simply stopping the dumping of cat pictures (an arbitrary example of junk data).