In a fascinating glimpse into how bugs are found and exploited (and reported to browser developers) an HTML5 fail is brought to our attention by Michael McKinnon, security advisor at AVG.
Take a peek at http://www.filldisk.com/ where you will find the HTML5 Hard Disk Filler™ (yes, TM) API. This tidbit of code, made available by Feross Aboukhadijeh, who describes himself as ‘a web developer, designer, and Stanford computer science student’, does just what it says it will: execute it, and your entire hard disk will soon be fill.
Even if it is more capacious than an elephant’s scrotum (we have Blackadder to thank for that colourful imagery).
On his site, Feross (there’s no way we’re typing out his surname) provides some advice on ‘how to troll’ using the exploit, which abuses the HTML5 web storage standard. However, he also points out that he has filed bug reports with the major browser vendors, exhorting them to do something about it.
The exploit will crash your HDD via Chrome, Safari, Opera, and of course, IE 10. However, he says it won’t work on Firefox, ‘since Firefox’s implementation of localStorage is smarter’. Yay Mozilla, etc.
Perhaps most insightful of all is this observation from ferocious Feross: “Creating stuff is hard. Breaking stuff is easy. Thus, I take frequent breaks from creating stuff in order to break stuff.”
And McKinnon? A new bug is no big surprise for him. “There are always risks with new technologies, and as they gain wider adoption inevitably bugs are discovered. There will no doubt be other bugs discovered in the future in browsers that implement HTML5.”
Probably plenty of them, too.