Ming Chow Spots Big Security Holes in HTML5

The world’s software giants are looking to the upcoming HTML5 web standard to be the unifying force for the presentation of web content in the future. The problem is that the standard will expose users to a horrendous number of security vulnerabilities.

“The attack surface just got significantly larger,” says Ming Chow, a Tufts University computer science department lecturer. “Now with HTML5, a large population of victims can be reached very easily thanks to the complexities of the new web browser.”

Chow laid out the nature of the vulnerabilities in a speech at the Defcon hacker conference. In a nutshell, HTML5’s data-storage structure amounts to an open invitation to malware authors to slip abusive code into both web sites and applications with which to infect users’ personal computers and other devices.

That’s bad news for tech giants like Google, Apple and Microsoft who are looking to HTML5 to provide the common, unifying language so a single application can be created to run on websites, mobile phones, tablets and a host of other devices likely to be waiting in the wings for just such an advance. And unfortunately HTML5’s security vulnerabilities are unlikely to be fixed easily because they are structural, says Chow. The best approach may be for developers to design around the vulnerabilities.

One of the biggest holes is the use of client-side storage in HTML5 applications — i.e. allowing applications to store data on a user’s hard drive rather than on a server. While this allows some efficiencies, like making the app available offline and speeding up performance, it greatly expands the data space for things like “cookies,” or sensitive data that helps identify a user; what used to be limited to four kilobytes of data would swell to 5 megabytes, giving malware authors ample space to design all kinds of mischievous evil software with which to abuse the user’s device as well as to access personal data.

In his talk Chow demonstrated how easy it would be for hackers to get access to that data via a “cross-site scripting vulnerability” in the web application. For example, a fake log-in page to a site in the client-side data storage on the user’s computer could be used to steal the user’s credentials. HTML5 would also make it much easier to cover an attacker’s tracks.

“All that stuff you heard in the past about sanitizing data is just as important when the data is stored on the client side,” said Chow. “These are lessons from 2004. Now we are in 2011. Everything in local storage is susceptible to being stolen. The problem has gotten that much greater. As dumb as it sounds, you’re always going to have developers who are going to store a lot of sensitive information in local storage.”

Another dubious advantage of HTML5 is the ability to tap the 2D graphics processing power of the device to accelerate application. For example, videos can be played without having to download a plug-in first. But that presents another opening for hackers, especially if there is a flaw in the codec — the encoder and decoder engine — for playing the video because those codecs are often built by third parties.

“You just don’t know what is going on behind the scenes there,” Chow cautioned. “We’re venturing into uncharted territory. That’s no man’s land.”

HTML5’s geolocation feature allows a host of useful web applications, but they allow attackers to determine a user’s location without his knowledge.

HTML5, which remains a work in progress, is being incorporated into browsers like Firefox, Internet Explorer 9 and Google Chrom. Chow says he hasn’t gotten feedback yet from the HTML5 working group but is pessimistic about fixes for the security flaws because old attacks from as far back as 2004, like SQL injection, are still being used to break into websites and access extraneous data from a web database table.

“HTML5 is not going to go away anytime soon,” Chow said. “Starting over with it is not a reasonable thing to do. The writers of the specification can do one thing. But the developers themselves need to keep an eye on security. Whenever there is a new language, there isn’t a lot of attention on security. We haven’t trained web developers well enough. Security seems like a complete afterthought in putting together the HTML5 specification. A lot of stuff to defend yourself — this is not new.”

Chow’s security concerns are also reflected in a recent report by the European Union’s cyber security agency, ENISA. It counted around 50 security threats, many of them quite major. The report suggests a way to reduce the risk is to use secure socket layers (SSL).

Ming Chow got his B.S. and M.S. in Computer Science from Tufts University. His current research work focuses on game Development, online game security and web application security. He is currently teaching courses on introduction to game development, web programming and web engineering.