How Can Websites Get Around the Cap?
Decoded Science spoke to Mr. Aboukhadijeh about the issue and how websites are getting around the cap. He clarified that it wasn’t HTML 5 that was a problem:
“To be clear, this is not an issue with HTML5, so calling it an “HTML5 weakness” is not accurate. It’s a bug in the way that most browsers (Chrome, Internet Explorer, and Safari) have implemented the HTML5 Web Storage standard. It’s the fault of the browsers, not the HTML5 spec.”
Using up all your memory is just one of the downsides to this data dump. Browsers like Chrome, that run on 32-bit systems, will most likely crash because of the amount of data being stored. Mr. Aboukhadijeh found that 1GB of data was being stored every 16 seconds!
Mr. Aboukhadijeh tested this through his own website and used the latest versions of all the browsers. His website will dump photos of cats on the website as a mischievous prank to demonstrate the loophole. If this problem is not fixed soon, however, it could be used for something more malicious.
Why doesn’t this issue impact Firefox? Firefox has implemented localStorage, which is ‘smarter’ than the other browsers. Google, Apple, Opera and Microsoft have now all been notified of the issue, however, so hopefully a fix will be implemented soon.
Decoded Science asked Firefox to clarify why localStorage was ‘smarter’ but they refused to comment. Mr. Aboukhadijeh explained in more detail that localStorage allows Firefox to place a “10 MB cap on the amount of space that any domain can store”. Any subdomains will need to share that cap.
Switch to Firefox for Now to Avoid the HTML 5 Loophole
Until the loophole problem is fixed, it may be worth switching to Mozilla Firefox. If you want to help to have the problem fixed sooner, you can do this by helping to alert the various browsers. The more bug reports companies receive about the issues, the higher a priority they will become.
BBC News. Web Code Weakness Allows Data Dump on PCs. (2013). Accessed March 4, 2013
Limer, E. Thanks to HTML5, This Website Can Fill Your Whole Hard Drive with Trash. (2013). Gizmodo. Accessed March 4, 2013.
Constantin, L. HTML5 Web Storage Loophole can be Abused to Fill Hard Disks with Junk Data. (2013). Reseller News. Accessed March 4, 2013.
Aboukhadijeh, F. Introducing the HTML5 Hard Disk Filler API. (2013) Accessed March 4, 2013.
Fuller, M. 5 Differences Between HTML4 and HTML 5. (2012). Craving Tech. Accessed March 4, 2013.